Developers warned to focus on ensuring security of apps

7 Feb 2012

Zinopy CEO John Ryan

‘There’s an app for that’ has a nice ring to it but developers are being warned about ensuring their creations are secure enough to protect people’s data.

John Ryan, CEO of security consulting firm Zinopy, said organisations need to rethink how they approach the issue of developing applications that are as bulletproof as possible.

“A lot of the security focus is around the network – and that’s still important – but on the applications side there’s generally a lack of awareness among developers of a lot of the security issues,” he said. “It’s not uncommon to have a scenario where the software’s launch date is two weeks away before security tests happen.”

Application security is a growing problem, and appears to be getting worse. US firm Veracode analysed 9,910 business applications over 18 months and discovered eight out of 10 failed to meet acceptable levels of security, with standards declining since previous reports were compiled.

Challenges regarding application security

Ryan acknowledged that changing developers’ mindset is the challenge, since they tend to focus on delivering code that’s measured on features and performance. Another hurdle to overcome is the trend for many organisations to outsource app development, especially for mobile platforms.

“Because the mobile platform is pervasive and it’s driven by marketing, it’s developed outside the internal organisation but integrates with back-end data – it could be signing up to a new service or looking up a bill. If it integrates with back-end apps, it potentially opens up security holes,” said Ryan.

“External developers are being paid for functionality and fast delivery and security can often be left behind in those circumstances … at the last minute it’s a case of, ‘give it the once over to make sure it’s secure’. That’s not the way it should be done.”

Veracode’s survey, released in December, said Cross-Site Scripting (XSS) and SQL Injection found in software applications are two of the most frequently exploited vulnerabilities, which attackers use to gain access to customer data or intellectual property.

Last year’s headline-making PlayStation Network breach took advantage of a SQL Injection vulnerability, resulting in millions of compromised customer records.

Ryan said there is no need for organisations to leave security considerations aside when the likes of Veracode can provide cloud-based static application security testing on an ongoing basis. “Security should become part of the software development life cycle. Because the testing is automatic, it can become part of the process, you can test it as you go along. At the end of every week, it’s shipped up to the cloud services, you check all of the vulnerabilities that have been coded into the app and at that point you address them.”

Gordon Smith was a contributor to Silicon Republic