Friday, August 4, 2017

Security and development: how much is being done?

Let's assess what's happening in the development landscape trough the optics of security

Security is extremely important and everyone knows about that. After all, why would worldwide spending on security technology forecast to reach $81.7 billion in 2017. The report from IDC states that in summary, government (10.2%), healthcare (9.8%), utilities (9.7%) and banking (9.5%) are on the top of the list for the institutions that are being spending the most on cyber-security.

The technology categories that will see the fastest spending growth over the 2015-2020 forecast period are:
  • Device vulnerability assessment software (16.0% CAGR)
  • Software vulnerability assessment (14.5% CAGR)
  • Managed security services (12.2% CAGR)
  • User behavioral analytics (12.2% CAGR)
  • UTM hardware (11.9% CAGR).

SMBs

SMBs are also investing heavily in this area:
"Small and medium businesses (SMBs) will also be a significant contributor to BDA spending with the remaining one third of worldwide revenues coming from companies with fewer than 500 employees."

How much is spent on Development

But What was not mentioned in the report is how much is spent on the development. Developers, who work on all those industries may be writing potentially-insecure code. We assume that because our companies run anti-viruses, firewalls, VPNs, IDSs, etc, we are safe. But are we?

Probably not. There is a false perception of safeness especially in the corporate world. However, security is measure security if very difficult (if not impossible) to assess. Reason for which, despite the heavy investment, the majority of companies will fail a security breach.

Developers on the flip side who should be writing (or trying to) make their code as secure as possible to protect their users that have barely no knowledge on that field. In fact, the majority of them have no understanding of the fundamentals of security, use no security coding process, cannot even name the most common risks (do they even know what OWASP is?) or are keep up to date with the latest threats targeting their code, their OS, their APIs or their browsers.

Consequences and Trends

The consequence? Despite all that investment, people are using insecure code by default. So we could spot some trends:
  • a lot is invested in security so why aren't we safer?
  • probably because despite investing in security,  companies still neglect some aspects of security. Yes, they buy hardware, invest in firewalls but most of them also don't update their systems regularly, don't analyze their logs, they don't do security auditing, don't validate the used tools, etc
  • developers don't know or poorly know security best practices. Most of them probably never read a book on how to secure his/her own software and, an even smaller subset of them probably have know idea how to hack a site or how to use common hacking tools;
  • users: as expected, have even less knowledge of what's happening. They have assume everything is ok. The problem starts when neglect too: they don't update their systems (Windows XP anyone?) or anti-viruses, they reuse and almost never change their password, they trust everything they see, they click on everything.

With all that said, it's easy to conclude that we will continue having a hard time protecting ourselves online. The number of threats will continue increasing and developers will not be prepared to protect their code, their companies and their users from all those threats..

Does that mean that the world is suddenly more insecure? Not necessarily. There are tools there that are meant to protect us (encryption, certificates, protocols, algorithms, firewalls, anti-viruses, etc). Are they perfect? Absolutely not. Every software written has bugs or ways to be circumvented thus could be potentially exploited. But at the same time, that wouldn't mean that everything is lost.

Final Thoughts

This post is to alert developers to start thinking about how secure their code is. How can we make developers write better, more secure code. How can we make them understand the need to incorporate security in their development cycle and hopefully, make it part of their routines - like on daily standups or during our code reviews.

We will analyse in detail those topics future and hopefully all of us will be better prepared for the next waves of threats that, undoubtedly will come.

In the meantime, keep safe.

See Also

Security is only as strong as the weakest link
The Laws of security
Security and Ethics
Privacy and Ethics
Security Boundaries
Integrated security vulnerability alerts on GitHub - Why it matters

For more security posts on this blog, please click here.