It’s estimated that there are 111 billion lines of new software code generated by developers every year, according to the 2017 Application Security Report, recently published by Cybersecurity Ventures and scheduled for release next month. (Disclaimer: Steve Morgan is founder and CEO of Cybersecurity Ventures.)
That’s a whole lotta code that needs to be tested and secured before it reaches the fingertips of consumers, businesses, and governments globally.
A software assurance report published by the U.S. Department of Homeland Security (DHS) estimates that 90 percent of reported security incidents result from exploits against defects in the design or code of software. Those figures were researched by the Software Engineering Institute (SEI), a not-for-profit Federally Funded Research and Development Center (FFRDC) at Carnegie Mellon University, specifically established by the U.S. Department of Defense (DoD) to focus on software and cybersecurity.
The thought of 2 billion lines of new code being released into the world every week is rather concerning in light of SEI’s research and the amount of insecure code that already needs to be addressed. Watson — IBM’s star cybesecurity pupil — states that there are currently 75,000 documented software vulnerabilities. The number of undocumented vulnerabilities is even greater.
Watson is poring through 10,000 security research papers that are published each year and 60,000 security blogs that are written every month — and is sure to be reporting on scores of new vulnerabilities in 2017.
Earlier this year, a CSO story took a look at how to remedy the epidemic of security incidents that result from exploits against defects in software. The big takeaway was that software developers aren’t baking security into their day-to-day development process (namely testing and scanning for flaws and vulnerabilities as they go) — and deferring to harden up web and mobile apps after they’ve been written.
When an app has been fully coded, there’s a rush to get it out the door. That’s hardly the best time to start thinking about security. At that point, it may be too late.
“The best thing (for software developers) to do is accept that security is just as critical to building software as safety is to building airplanes, and make a conscious decision to build security into your software development process” stated Frank Zinghini, founder and CEO at Applied Visions, Inc. (AVI), a software development company focused on cyber security, business applications, and command and control systems to government and commercial customers worldwide. “Worry about software security before you even start writing code, incorporate vulnerability scanning tools into your continuous integration system, and integrate security testing with your quality assurance process” added Zinghini.
There’s more than 18 million programmers in the world, according to a count by market researcher IDC a couple of years ago. Considering one survey that found two out of three developers are self-taught, it’s hard to know exactly how many new programmers are entering the field each year.
The SANS Institute 2015 State of Application Security Report helps explain the problem around securing code by stating that many information security engineers don’t understand software development, and most software developers don’t understand security. Troubling as that sounds, it’s hard to disagree.
In the U.S., students can graduate from any one of the top 10 computer science programs without taking a single course on cybersecurity. Computer science is a favorite major for aspiring programmers.
To sum up the problem… the world has a major application testing and scanning chore on its hands which has been created by self-taught and renegade programmers who’ve generated a massive amount of insecure code. Then there’s the younger programmers who lack formal security training and are charged with building new apps.
[ ALSO: Build security into software development ]
Manual scanning and remediation of software code defects is simply not possible.
There is hope. Poor software development practices are being changed over at large enterprises and more experienced programming shops which are standardized on Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools which automate the process of finding and eradicating harmful code.
Hybrid app security tools will gain traction in 2017, according to the Cybersecurity Ventures report. These next generation tools aim to bring real-time testing, analysis, and code remediation to developers.
Playing catch up is not a good place to be when it comes to security . Unfortunately, that’s the state of application security right now.