Buying packaged applications or subscribing to a cloud service are the only way to go for many organizations, for these solutions offer the fastest road to implementation. However, not every packaged app or SaaS offering can satisfy a line of business’ needs. The only alternative for these organization is to create an application.
But despite the importance of creating secure code, a survey by Veracode, which makes an application analysis platform, suggests software developers are still lagging — particularly in the implementation of cryptography for encrypting data.
Cryptographic issues are the second most common type of flaws — behind overall code quality — that affected applications across all industries, according to this news report on the study, which was based on an analysis of code Veracode customers submitted to its platform over an 18 month period.
“It goes to show how hard it is to implement cryptography correctly,” Veracode CTO Chris Wysopal told CSO Online. “It’s sort of an endemic issue that a lot of people don’t think about.” The story quotes him as saying many developers believe they know how to implement crypto, but they haven’t had any specific training in cryptography and have a false sense of security.
The study also quotes Gartner saying that last year enterprises spent US$12 billion securing their network perimeters, but only US$600 million securing applications.
CISOs who oversee software developers should consider the report’s findings when assessing the effectiveness of software development teams, particularly by industry. The study suggests manufacturing and financial services fixed the largest percentage of flaws (65 and 81 per cent respectively), compared to government, which fixed just 27 percent of the vulnerabilities.
As for the crypto problems, it’s not only the developers’ fault, the CSO Online story argues. It quotes Matthew Green, a professor of cryptography engineering at Johns Hopkins University in Baltimore, saying many crypto libraries are “downright bad” from a usability perspective because they’ve been designed by and for cryptographers.
“Forcing developers to use them is like expecting someone to fly an airplane when all they have is a driver’s license,” he said.