Study finds web developers undertake too little vulnerability testing
Software vendor Coverity has released its Software Security Risk Report, which claims that less than two fifths of web development companies carry out testing during the development cycle and that more than half decline to check their code for bugs and security vulnerabilities prior to integration testing. According to the study, the result is more frequent web application-related security incidents, leading to overall higher costs.
The US quality assurance software specalist commissioned Forrester Consulting to carry out the study on application security and testing. In July, Forrester surveyed 240 influencers working at European and North American web development firms.
More than 70% of respondents who had previously experienced a security incident complained of a lack of security technologies and processes for their developers. There were also problems with scalability and budgets, with a large majority (79%) saying that they could not keep pace with rising code volumes and more than two thirds saying that funding for security was insufficient. 41% felt that short time-to-market compelled them to give security during development a low priority. Just 42% adhered to secure coding guidelines and less than a third had a library of approved and banned functions. Only around a quarter used threat modelling during development.
Just over half of those surveyed have suffered at least one security breach in the last 18 months. 18% had suffered losses in excess of $500,000 and 8% losses of more than $1 million.
Developers cited poor integration with their development environments, a requirement for too much security expertise and the large number of false positives as the three biggest challenges in dealing with security tools for web applications. Although some of the security experts surveyed agreed that integration of tools is a challenge, none believed that security tools were too complex or required too much expertise.