Study: Most Application Developers Don’t Know Security, But Can Learn
NEW YORK, N.Y — AppSec USA 2013 — Most application developers still aren’t security-savvy, but training can make a difference, according to study results outlined here Wednesday.
The study, conducted by professional services firm Denim Group, tested some 600 application developers — most of whom had fewer than three days of security training — on their knowledge of secure coding practices.
Quizzed on 15 questions, less than a third of the respondents (27 percent)accurately answered more than 70% of the test. The average score on the quiz was 59%. Developers with more than seven years of experience fared no better than those with those with fewer than three years’ experience.
“Most of them understood high-level concepts, such as how to recognize a cross-site scripting vulnerability, but when we asked them how to remediate it, most of them couldn’t answer correctly,” said John Dickson, CEO of Denim Group, in a presentation of the study results.
The Denim Group then gave the respondents a secure application development course and tested them again. After training, the average score on the test rose to 74%, and about two-thirds of respondents scored 70% or higher. The students reported that their security-related application vulnerabilities were reduced by 70% after training.
“What this shows is that security training makes a difference,” Dickson said. “If you do training right, you can expect to reduce vulnerabilities.”
The study also pointed out some flaws in the secure development process. For example, while most application development teams rely on quality assurance staff to catch security problems in developing code, QA staff turned in the lowest scores on the initial test, scoring lower than those who described themselves as developers or architects.
“A lot of companies put their least experienced people on the QA team, and they are actually the least knowledgeable in security,” Dickson observed. “But without any training, how are those people supposed to catch the security issues?”
Interestingly, respondents who worked in the largest companies — companies with 10,000 employees or more –scored lowest on the initial test, with a passing rate of just 19%.
“The category that does the most in-house development had the lowest scores,” Dickson said.
Experts at the AppSec 2013 conference said that until developers become more security-savvy, the incidence of vulnerabilities will continue to remain high.
“Security is still not built into the pre-production process,” said Bala Venkat, chief marketing officer at Cenzic, an application security tool vendor. “It’s not built into the application development process, it’s not part of the education process at most universities. Until security training becomes a requirement, we will continue to have problems.”
Although software development tools are rapidly evolving and attacks are becoming more sophisticated, most companies are still wrestling with application vulnerabilities that are years old, noted Chris Eng, vice president of research at Veracode, an application security tool vendor.
“We’re still seeing SQL injection flaws that we’ve been seeing for a decade,” Eng said. “The core vulnerabilities are still the same, and that speaks to the need for better training. You can’t just give a classroom course and forget it. You have to retest and reinforce the concepts, and let your developers see them in practice.”
Most organizations still don’t offer incentives for developers to write secure code, noted Jeremiah Grossman, founder and CTO of application security vendor WhiteHat Security.
“Do software developers get rewarded for writing code without vulnerabilities? No, they are usually rewarded for speed and functionality. But if you hold developers accountable for vulnerabilities and incent them to write more secure code, then it matters to them. Then you begin to see an impact.”
New requirements for training may change the way software developers approach security,” Dickson said. The new Payment Card Industry Data Security Standard 3.0, for example, requires that developers are trained and tested in secure coding practices, he noted.
“As security becomes more important to industries and organizations, I believe we will see a real change in the way developers are trained,” said Cenzic’s Venkat. “It has to be a mandate. I’m positive it will happen.”
Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.