Cyber-attacks against web applications are increasing, yet security budgets for developers remain low.
Checkmarx reports that three recent studies highlight the challenge that developers face in securing code with the increase in attacks and low budgets. The reports reveal the need for more resources to secure JavaScript code across in-house and open source codebase.
The 2016 Data Breach Investigation Report showed that attacks against every business sector grew significantly with financial services being hit particularly hard with a 51 percent increase in reported incidents. Common Vulnerabilities and Exposures (CVE's) are not being addressed quickly enough with the top 10 vulnerabilities accounting for 85 percent of successful exploited traffic.
Many developers are gravitating to Java-based languages and scripts. According to the annual Stack Overflow survey, 85 percent of developers working on full stack applications are using JavaScript with Java in the top two choices for frontend, backend and mobile applications.
Developer awareness in regard to security controls is increasing according to the recent ‘SANS institute 2016 State of Application Security: Skills, Configurations and Components' report. Tools and methods ranked as being in the top three challenges to implementing AppSec by 38 percent of respondents then a lack of funding or management buy-in (37 percent). Almost a third (60 percent) reported that they test applications continuously, but 53 percent still test applications when they are initially launched into production.
The largest group (57 percent) said they find one to 25 vulnerabilities per month and the survey found the largest number (24 percent) said that more than half of critical vulnerabilities found were related to code bugs instead of misconfigurations. Unfortunately, less than 30 percent are achieving a 75 to 99 percent level of satisfaction with the speed it takes to repair their vulnerabilities.
“Developers are gravitating towards JavaScript, being asked to create more applications by using faster development cycles. Meanwhile, the number of attacks against them grows and information security budgets have remained largely static,” says Amit Ashbel, cyber-security evangelist and director of product marketing for Checkmarx. “This is an unenviable position for developers and a situation that needs to be looked at more carefully by budget holders if they want to stop the problem from getting worse. Investing in AppSec education programmes and white box testing tools can have a massive return on investment compared to the cost of breaches and urgent remediation work after an app has gone live.”
