(Image Credit: iStockPhoto/weerapatkiatdumrong)
In a world that's growing ever more reliant on apps, the rapid pace at which they're being developed and deployed is causing significant problems with security, according to a new report.
The report, Application Security in the Changing Risk Landscape, was undertaken by the Ponemon Institute and F5 Networks to highlight the security risk to users from apps that were "rushed to release."
In the poll of 605 IT security professionals, most (35%) responded that mobile apps posed a "significant" risk increase to their organisation's security. 25 percent thought mobile apps increased the risk to some extent, and 30 percent indicated no risk increase. Nine percent said that mobile apps reduced the security risk to some extent; whilst just one percent said they "significantly" decreased the risk.
When it comes to cloud-based apps there was some disparity; with the highest percentage in a single category of the IT professionals (36%) responding they posed no risk increase. Most were still concerned, however, with 26 percent and 25 percent responding a significant or minor security risk increase respectively.
"More than half of all survey respondents believe that cloud-based applications increase risk, while 63% of all survey respondents believe that attacks at the application layer are harder to detect—and more difficult to contain—than those at the network layer," wrote Mike Convertino, Chief Information Security Officer at F5 Networks, in a blog post.
Approximately 31 percent of business apps are mobile now, and in the next year, that's expected to increase to 38 percent. Meanwhile, 37 percent of software is cloud-based, with that percentage expected to grow to 46 percent. Along with the increased growth, comes increased risk.
This risk is being attributed to overpressured developers, who have been called out by McAfee Labs recently in a threat report (PDF) which criticised them for ignoring known security issues.
When asked if the 'rush to release' causes developers in their organisation to neglect secure coding procedures, a concerning majority responded that was "likely" the case. 30 percent said it was most likely, 37 percent said likely, 19 percent said not likely, and just 14 percent said no.
The report highlighted several key methods in mitigating the risk from poor application-level security:
Hiring and retaining skilled and qualified application developers will improve an organisation's security posture. Sixty-nine percent of respondents believe the shortage of skilled and qualified application developers puts their applications at risk. Moreover, 67 percent of respondents say the "rush to release" causes application developers in their organisation to neglect secure coding procedures and processes.
Ensuring developers understand secure coding practices can reduce application security risk. The two main reasons why applications contain vulnerable code are developers not understanding secure coding practices or their poor coding.
More testing of applications is needed. Almost half of respondents say their organisation does not test applications for threats and vulnerabilities (25 percent) or testing is not pre-scheduled (23 percent). Only 14 percent of respondents say applications are tested every time the code changes.
Currently, respondents have little confidence that application developers in their organisation practice secure design, development and testing of applications. Seventy-four percent of respondents say in application development they are only somewhat confident (27 percent) or have no confidence (47 percent) that such practices as input/output validation, defensive programming and appropriate compiler/linker security options are conducted.
DevOps or continuous integration is believed to improve application security. Thirty-five percent of respondents say their organisations have adopted DevOps or continuous integration practices into the application development lifecycle. Of these respondents, 71 percent say it improves application security and enables them to respond quickly to security issues and vulnerabilities (56 percent of respondents).
By a fair margin, the IT professionals gave the biggest reason for applications using vulnerable code is the use of development tools and technologies with inherent bugs. This was followed by the use of legacy libraries and databases. Few of the professionals blamed the developers for poor coding or lack of understanding about good security practices.
Respondents said they would increase secure coding practices over the next two years by:
Run applications in a safe environment.
Use automated scanning tools to test applications for vulnerabilities.
Perform penetration testing procedures.
Monitor the runtime behaviour of applications to determine if tampering has occurred.
Conduct tests of open source merged with proprietary applications.
Conduct security acceptance requirements for outsourced applications
Use audit/assessment results to improve coding standards.
Encrypt sensitive data used in the application development and testing process.
"71 percent of security professionals who have integrated DevOps practices into their application development lifecycles say that they have improved security and that it enabled them to respond quickly to vulnerabilities. I believe that DevOps practices can be highly beneficial to application security as long as security testing is embedded into the automated testing we already do in DevOps alongside all the functional tests to ensure that the apps we develop are both functionally robust and secure from the ground up," Convertino wrote in his post.
You can download the full report here.
What are your thoughts on the current app security problems? Let us know in the comments.