Software developers still failing to create secure code: Report

Buying packaged applications or subscribing to a cloud service are the only way to go for many organizations, for these solutions offer the fastest road to implementation. However, not every packaged app or SaaS offering can satisfy a line of business’ needs. The only alternative for these organization is to create an application.

But despite the importance of creating secure code, a survey by Veracode, which makes an application analysis platform, suggests software developers are still lagging — particularly in the implementation of cryptography for encrypting data.

Cryptographic issues are the second most common type of flaws — behind overall code quality — that affected applications across all industries, according to this news report on the study, which was based on an analysis of code Veracode customers submitted to its platform over an 18 month period.

“It goes to show how hard it is to implement cryptography correctly,” Veracode CTO Chris Wysopal told CSO Online. “It’s sort of an endemic issue that a lot of people don’t think about.”  The story quotes him as saying many developers believe they know how to implement crypto, but they haven’t had any specific training in cryptography and have a false sense of security.

The study also quotes Gartner saying that last year enterprises spent US$12 billion securing their network perimeters, but only US$600 million securing applications.

CISOs who oversee software developers should consider the report’s findings when assessing the effectiveness of software development teams, particularly by industry. The study suggests manufacturing and financial services fixed the largest percentage of flaws (65 and 81 per cent respectively), compared to government, which fixed just 27 percent of the vulnerabilities.

As for the crypto problems, it’s not only the developers’ fault, the CSO Online story argues. It quotes Matthew Green, a professor of cryptography engineering at Johns Hopkins University in Baltimore, saying many crypto libraries are “downright bad” from a usability perspective because they’ve been designed by and for cryptographers.

“Forcing developers to use them is like expecting someone to fly an airplane when all they have is a driver’s license,” he said.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web