Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why don't developers have a 'spellchecker' for security'?

Maria Korolov | Nov. 1, 2016
Wouldn't it be nice if software developers had something like spellcheck, but instead of catching simple grammar mistakes, it caught basic security problems?

Despite all the news coverage about successful cyberattacks, developers are still writing code full of security vulnerabilities.

Of course, nobody is perfect. We all make mistakes, and as software projects get more and more complex, it can be easy to mix potential problems.

But that doesn't explain why so much software is full of the most basic errors.

According to a report released this month by Veracode, 61 percent of all internally-developed applications failed a basic test of compliance with the OWASP Top 10 list on their first pass. And commercially developed software did even worse, with a 75 percent failure rate.

These are basic, well-known problems, like SQL injections and cross-site scripting.

Or take hard-coded passwords. Who still does that? According to Veracode, 35 percent of all applications they tested.

Eliminating these basic vulnerabilities would go a long way towards making software more secure. And the earlier on in the process they're caught, the easier they are to fix.

Today's integrated development environments can already catch common syntax errrors, like missing semicolons, said Ron Arden, COO at security vendor Fasoo.

"If there's a function you're using, it shows the parameters," he added. "But it won't tell you if there's a SQL injection or cross-site scripting or something stupid like that."

Wouldn't it be nice if software developers had something like a spellchecker, but instead of catching typos and simple grammar mistakes, it caught basic security problems?

Developers would be able to fix them immediately, and also learn to write more secure code in the process.

The traditional approach is to test software for vulnerabilities after it has been written. But today the testing is moving to earlier in the development process, to when commits are made, or even earlier, while the developer is actually writing the code.

"We really need to be implementing this type of application security in our software development stage," said Doug Cahill, analyst at research firm Enterprise Strategy Group. "There are some organizations that are integrating these types of security best practices into their software methodology, but not enough. One part is just lack of awareness, and one part is the need for automation. If we can hit the easy button, more of us will do it."

According to Veracode, there are some signs that development is moving in that direction.

Although 40 percent of applications only get scanned once, 9 percent of applications get scanned much more frequently, suggesting that those companies are running some kind of continuous testing program, with some applications in developer sandboxes getting tested as much as six times a day.

According to the report, the number of vulnerabilities per applications can improve dramatically with this approach. Flaw density goes down 46 percent when application scanning is added to the development process. When e-learning features are added, there's a six-fold improvement in flaw density reduction.

 

1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.