While your developer and security teams work hard to secure the applications they develop, somehow vulnerabilities creep in despite their best intentions and effort. These vulnerabilities compromise the security of your application and your company’s data, and understanding where they come from is the first step to improving your application security.
So today I’m looking at the leading causes of vulnerabilities in your applications.
1) Insecure Coding Practices
Insecure coding practices are the leading cause of vulnerabilities in your applications, simply because security isn’t made a priority during the development process.
Your developers are judged on the performance, functionality and efficiency of their code, not its security. They’re often working to increasingly tight deadlines: a 2016 study by the Ponemon Institute revealed that 58% of respondents believed their organisations are under pressure to release new apps quickly.
When deadlines are tight, something’s got to give. You can’t compromise on functionality, so unfortunately, it’s often security that suffers. In fact, 35% of organisations don’t perform any major application security testing prior to deployment.
By integrating security measures into each stage of the software development lifecycle (SDLC), right from planning through to implementation, your organisation will save time and money in the long run. In fact, it’s 30x more expensive to fix a vulnerability during post-production than during the design and architecture stages.
Learn more: How to Secure the 7 Stages of the SDLC.
2) Fast-Changing Security Environment
The security environment is constantly changing, with new threats and vulnerabilities emerging all the time. So no matter how skilled your security team are, or how quickly they respond to new vulnerability disclosures, they’re always one step behind, trying to catch up.
The best way to combat a fast-changing security environment is to educate your security and development teams on security best practices. For example, the OWASP Top 10 is an invaluable resource that identifies the ten most common application vulnerabilities and provides guidance on how to prevent them.
If your dev team can adopt secure coding practices to eradicate the most common vulnerabilities from your code, your security team can focus on dealing with new and emerging threats as they arise.
Additionally, it’s vital that your development and security teams develop good practices after deployment to maintain the security of your code, by making sure that it is regularly updated, reviewed and patched to ensure that updates to your application don’t introduce new vulnerabilities.
3) Inherent Vulnerabilities of Programming Languages
Awareness and understanding are key to preventing language-related vulnerabilities making it into finished applications.
Your dev teams pick their programming language based on the type of application they’re working on, and sometimes, it’s easy to overlook the fact that each language has traits that make it more susceptible to different kinds of vulnerabilities.
Of course, no programming language is immune to vulnerabilities so avoiding any particular language won’t help improve your application security. Instead, your developer and security teams should work together to develop a shared understanding of the different capabilities of different languages, balanced against the vulnerabilities associated with each language.
It’s important that your security team understand the benefits that influence your dev team’s choice of programming language, and that your dev team understand how their choice impacts the security of your application, to improve the relationship between the two teams.
With a good understanding of weaknesses that are prevalent in different programming languages, your dev team can look for specific vulnerabilities during their code reviews, and your security team can run targeted testing prior to deployment.
