Security Journey Blog

Fast code or secure code? You can’t have both

Written by Security Journey/HackEDU Team | Jan 25, 2024 5:56:37 PM

This article was originally posted on ITPro; you can read the full article here.

Companies are prioritizing pushing software to market over making it secure, but it’s a risky strategy that is likely to create bigger headaches for them down the line, a new study shows.

A survey of over 600 tech and IT security workers found that only 20% were confident in their ability to detect a vulnerability before an application was released.

Just under half (47%) said a lack of qualified staff made it difficult to fix vulnerabilities in production, while only half of organizations said they tested the security of their applications after they have been released.

“This signals that too many organizations have given up the fight,” said the report, commissioned by security training company Security Journey and carried out by the Ponemon Institute.

 The survey found that 60% of organizations believe it’s ‘difficult-to-very-difficult’ to remediate vulnerabilities in applications, and only 11% of organizations believe they patch vulnerabilities effectively in a timely manner.
 

If the developers themselves don’t spot flaws in code before it goes into production, there is a risk that the first people to identify a vulnerability will be hackers probing systems for weaknesses.

And that’s far from just a theoretical problem, it seems. In the past year, 54% of respondents had a security incident due to an unpatched vulnerability and 51% said they had more than eight security incidents because of an unpatched flaw.

“Securing an application later in its development lifecycle is a risky plan, as it leaves it vulnerable to immediate exploitation. Knowledgeable human intervention can improve this situation,” the report said.

Just over half (55%) of those surveyed felt their development, security, and compliance teams were aligned on product security.

“This implies that a significant proportion of organizations are facing challenges in achieving a cohesive and unified approach toward ensuring the security and compliance of their products," the report said. "The lack of alignment between these teams can lead to a fragmented approach toward addressing security concerns, potentially resulting in increased security risks and vulnerabilities."

The lack of shared focus and accountability can lead to major delays in vulnerability patching, which can be a significant risk to businesses, it warned.

Over half of respondents blamed silo and turf issues for the delays in vulnerability patching, while 38% said they don’t have the ability to hold other departments accountable for patching.

“The lack of shared focus and accountability can lead to major delays in vulnerability patching, which can be a significant risk to businesses. There’s still more work to be done to break down silos and improve collaboration between teams to ensure that they can effectively manage security risks,” it said.

The survey said this is all fundamentally an organizational problem rather than the fault of individuals.

Individual tech professionals understood the challenge of balancing the need for secure applications with the need to develop and deploy applications quickly.

“When organizations lack a strong security culture across teams and fail to keep security in mind when making business decisions, are we asking for stricter regulations with financial penalties, like GDPR?”

According to separate research by security company Qualys, somewhere around 26,447 software vulnerabilities were disclosed in 2023. Not all of those were super-high risk, though. Over 7,000 vulnerabilities had proof-of-concept exploit code.

These vulnerabilities could result in successful exploitation; while 206 vulnerabilities had weaponized exploit code available which would make it much easier to compromise the target system if used.

Larry Ponemon, chairman of the Ponemon Institute described the current state of the application security landscape as “deeply concerning,” and said the focus still remains on “speed to market rather than instilling a secure culture around application development.”

Part of the problem may be down to training. Nearly two-thirds (68%) of respondents only undertake secure coding training because of a compliance need or in response to an exploit.

For almost as long as there has been software there have been bugs (the first of course being an actual bug). The tech industry has spent decades trying to reduce the number of vulnerabilities found in shipped software.

It’s now more than 20 years since Bill Gates sent his famous email about ‘trustworthy computing’ which aimed to make computing as “available, reliable and secure as electricity, water services and telephony,” and which kicked off an industry-wide debate about making software more secure. 

It seems, however, there is still work to do.