Web developers lack sufficient security knowledge, says software vendor

SECURITY BREACHES are becoming more common in web applications due to conflicts between security experts and development teams, a study conducted by Forrester on behalf of software vendor Coverity has revealed.

The results show that most web application developer firms have experienced breaches due to firms failing to adopt secure development techniques.

Coverity's senior manager of global communications, Chris Adlard told The INQUIRER, "We spoke with 240 software development influencers from companies that develop web applications and over half had had some kind of web application security problem over the last year and a half."

"They are expensive problems that can range from a few thousands of pounds or dollars to an extremely high amount such as more than 10 million."

Adlard explained that this was because 71 percent of respondents lacked the right security techniques suitable for development and 79 per cent said security processes cannot scale with the volume of code they produce.

"I think the report sets the scene for some of the challenges that are out there right now," Adlard added. "What we have identified is that not that many, just 42 percent of respondents said they are employing some kind of security. That means the majority of companies are not necessarily looking at security during the development phase of the software."

Adlard explained that the problems between security experts and developers persist because the two functions within a company traditionally work in quite different ways and don't speak the same language.

Referring to the book Men Are from Mars, Women Are from Venus, Adlard said security experts and web developers can be both right and wrong at the same time, and suggested that if they were to work together, they could work very well.

"What's happened before is that [security experts and developers] have not really had a platform or a system of tools to help a collaboration work as seamlessly as possible.

"The developers don't know what to focus their efforts on because the security guys aren't giving them that guidance and the developers are focusing on something else because they think that is more important to them without always understanding the security implicates.

"You then end up with a system where both parties are maximizing their interaction and getting results from it."

Adlard said the issues need to be resolved in a collaborative way, and you can't ask developers to do something if they dotn understand the implications.

"So it's perhaps that developers need to be educated by security experts on where to focus their efforts, and the developers need to communicate back to security what they've done to address the potential issues."

Coverity has a few customers that have done just that already, Adlard said. Though he wasn't able to say which just yet, he said they are looking at product security at developer level and using the firm as a way "to connect the dots between both sides of the house". µ