How much do developers really know about writing secure application code? That's a question companies are starting to ask in earnest as the number of desktop, web-based and now mobile applications in their networks continues to skyrocket. What's more, many such apps aren't developed in-house; they're either farmed out to third-party vendors or pushed up the pipeline by company partners. Is there a way to gauge the amount of developer training an IT professional has received over the course of his or her career? More importantly: does it matter?
C Minus Minus
In a recent Dark Reading article, CTO of Aspect Security and Contrast Security Jeff Williams discusses the challenge of educating app developers about specific vulnerabilities. It's a difficult task, partly because of the sheer number of problems that can crop up — the MITRE CWE Project lists more than 1,000 categories of security mistakes, many of which are both obscure and hard to detect. In an effort to assess what his students did and didn't know about secure app coding, Williams and his team created a multiple-choice exam with a 500-question pool vetted by real-world software developers. The results? On average, developers score a failing grade of 60 percent. With training, however, code vulnerabilities drop by 73 percent. As Williams argues, "That result is far superior to anything penetration testing or automated tools could hope to achieve."
Similar programs are starting to emerge across the market: SAFECode has released a number of free secure-code-development training modules, and Cornell University is rolling out an app-development program that aims to help students improve their code by releasing one secure iOS application per semester. But are such types of developer training enough to secure an entire network's worth of apps?
Taking a closer look at Williams' test data, it's easy to see where developers struggle the most. While almost 80 percent correctly answered questions about hardening web servers and protecting credentials within apps, just 32 percent knew how to harden application frameworks and platforms, and less than 25 percent were knowledgeable about threat modeling and security architecture — in other words, their answers were no better than guessing.
So while it's safe to say that increased developer training can help eliminate vulnerabilities in app code, the gap between "totally secure" and "total luck" is simply too wide for training modules to address alone. Coupled with the sheer volume of apps — including those that are developed internally, with open source components, and by third parties — it becomes impossible for human skill, however finely honed, to catch and eliminate every vulnerability. Companies will be better off using a combination of automation and oversight to track down and eliminate flaws. Training in secure app development is ideal whether your firm is creating in-house apps, evaluating vendors' applications before they become company mainstays, integrating automated testing tools and services to scan code or ensuring that apps meet all expectations. But the real value of these tools is most obvious when considering perimeter and lesser-used apps: If programmatic app testing discovers a problem, it's sent to developers for review. Developers with secure app training can then use this data as a starting point to create better, cleaner code.
If your developers don't have training in secure application code, they need it. In concert with advanced testing solutions, training will make it possible to effectively manage the secure development life cycle of any app on which your company (even marginally) relies.
Photo Source: Flickr