April 20, 2019
Waking up from the secure coding dream
Just 25% of companies are meeting their own expectations for secure code, for the other 75% their aspirations for automated security testing, code reviews, and external code reviews fail to match up to reality. This comes from the research of O’Reilly Media and the Software Improvement Group (SIG) who questioned 430 professionals about their organisations’ secure coding policies and practices.
O’Reilly and SIG’s research also found that: many organisations are failing to follow their security practices; third party secure code reviewing is viewed as key to delivering secure code, and; policies are set for secure coding with a distinct failure to put these into practice.
SIG’s Rob van der Veer points out that companies value new, tangible features over secure code. In the list of deliverables that drive revenue secure code fails to make the grade. Research from BMC/Forbes shows that there is division between security and development teams with each operating in ignorance of the other. Security is viewed as a low priority when there is a rush to release and deliver new features.
Penetration testing or secure code reviews?
Just 4% of the developers surveyed view penetration testing as enough to secure their code. SIG’s view of penetration testing is that there are restrictions such as depending on a software application to be almost ready for release, the limits of the black box approach for understanding the internal functionality, and the time limits for a penetration tester who has to work alongside a company’s need to ship their product. This contrasts with 80% of respondents who thought it was necessary to show their code to third party security experts.
Static analysis tools
Static code analysis tooling was used by 25% of the respondents and SIG’s report provides some interesting insight into obstacles for adoption – one-third view it as too expensive, with others saying there were no tools for their development language, that the tools were too hard to use, had a high false positive rate, or a failure to fit in with Agile development.
Secure coding problems on mobile
A lot of the problems that SIG & O’Reilly’s research touches on are compounded in mobile. Mobile is a new paradigm for software development, driven by high frequency release rates to deliver new UI & UX features to engage app users. For companies that release app updates 2 or more times month there’s no time for a penetration test, instead companies need to address the new problems of secure mobile coding with new tools.
Reality vs practice?
The research also saw that 69% of companies have security policies across their organisation, with 60% issuing guidance for secure coding. It’s clear that the intention to produce secure code is underscored by the reality of security practices at these organisations.
The problem according to the experience of the Software Improvement Group is that managers and boards are failing to prioritise secure coding with the time or money required.
It may be the case that due to the cost of breaches, especially with GDPR on it’s way, companies will wake up to the need for secure coding. Had the TalkTalk breach occurred under GDPR the fines would have been £59m compared to the £400,000 penalty imposed by the ICO. SIG predicts a cultural shift for companies that will be dependent on secure coding costs being linked to measurable KPIs to get the time and budget needed to protect companies from themselves.
Codified Security’s mobile app security testing platform addresses the common objections to static analysis tools – with its low cost, low false positive rate, and easy to use online or as part of CI/CD.