back to article Security? We've heard of it, say web-app devs. 31 in 33 codebases have at least one big bad vuln

Automated source code analysis of 33 web applications has found that 94 per cent of them have at least one high-severity vulnerability, according to security biz Positive Technologies. "Web applications practically have a target painted on their back," said Leigh-Anne Galloway, cyber security resilience lead at the company in …

  1. SVV Silver badge

    This is my take on these appalling statistics

    The mad rush to jump onto the mobile Android/iOS App hype has made this completely inevitable - and totally avoidable if cooler wiser heads had prevalied. So if you're a younger starting out developer or startup company where do you see the lucrative work over the past few years - of course in Apps because that's what all the clients want. So they tailored their companies / personal skillsets completely towards App world because browser based web apps were now old news and the demand was falling at some speed.

    The older web app developers were starting to be seen as old farts especially those who didn't move into the new trend and it wasn't seen as desirable to bring their skills and experience on board, especially at the salary levels they had grown used to - why pay for all that when the enthusiastic youngsters would work harder and longer for less? Well now we see why it might have been a good idea as the youngsters repeat all the old mistakes because they've not got the experience to avoid making them.

    Twas ever thus I suppose, but I've heard stories of this nature for a few years anecdotally. Things like REST services being totally unsecured. Reading and writing application state and data to files so that the app worked when offline, thus granting open access to the file system. A banking app should never have this sort of access, it should only work in memory, online, "convenience" be damned. Oh well, looks like at least there may be plenty of work available doing consultancy to sort out big messes with web based systems again.

  2. Grikath Silver badge

    Re: This is my take on these appalling statistics

    [manglement] We have this idea for... Can you make something like this?

    [poor sod] Yeeeesss... can be done..ummm gimme two weeks and...

    [manglement] No Good we need it next week so we can include it into our <interminable round of drinkies>

    [poor sod] umm well.. I can whip up a basic thingie in about a week but....

    [manglement] Good!

    two weeks later..

    [poor sod] Well there were some difficulties, but we've got basic functionality, and at least it doesn't crash wildly anymo...

    [manglement] So it works?

    [poor sod] ummm.. yeeeeesss.. in a way... It's only a proto...

    [manglement] But it works?

    [poor sod] In its basic shape yes, but it needs test...

    [manglement] OK. We'll hand it to Ops and roll it out.

    [poor sod] but we still need to test i....

    [manglement] Thank you! Now what's for Lunch?

  3. big_D Silver badge

    Re: This is my take on these appalling statistics

    2001 has called and wants its vulnerabilities back!

    This was web development 101 back when I was testing websites at the turn of the century!

  4. FF22

    That sounds good

    31 in 33 for web apps? That sounds pretty good compared to 33 in 33 for C/C++ apps.

  5. Anonymous Coward
    Anonymous Coward

    There is zero accountability

    Until OS, software and programmers are held accountable for their insecure products and code, the world will remain compromised.

  6. Pascal Monett Silver badge

    Re: There is zero accountability

    Not true and not entirely fair. Coders are very accountable to their management - fail to bring a module out on time and on spec and you risk the pink slip, especially if it happens regularly.

    Having warned that security is insufficient and risks are present just makes you a nuisance, an obstacle in the way of the PHB who wants to brag and show off his new toy, or wants to look good to the board.

    I doubt very much that there are that many developers who don't give a fig that their application can be compromised and used against the user. I think most devs would react to such news if they had the chance.

    Most, that is. I know a few who really, honestly don't care as long the money keeps rolling in.

    I don't talk to them.

  7. Aodhhan Bronze badge

    Stop blaming developers for poor policy

    Developers ARE accountable in one form or another. This comes down to policies and procedures laid out by management.

    I've said this a few times on this forum. As an information security professional, you better first point the finger at yourself; because it's likely your risk assessment is the point of failure.

    Code review and penetration testing the application is vital to risk assessment. If you fail to point out vulnerabilities and their effects (costs) due to bad development policies/procedures, then the fault is on you.

    Risk assessment is the foundation of InfoSec. If all you do is look for vulnerabilities, you will be very frustrated at your job, wondering why things are done the way they are (where you work).

  8. Anonymous Coward
    Anonymous Coward

    All code is written by offshore idiots to the lowest price

    This shitty code is in your medical devices, cars, industrial systems, phones and most devices in your homes. It's present on every website you visit.

    Insecure by negligence and stupidity, it's everywhere in your life.

    But hey - psychopaths are running the companies that make this stuff & they don't give a shit. They are cutting cost to get paid. You are not the 1% so fuck you.

  9. JohaViss

    Why????

    10 reasons why security is considered not important.

    1. We want it NOW.

    2. Sorry you are over worked, but we at not hiring.

    3. Sorry, everybody here is on minimum wage.

    4. You can finish the job in your own time.

    5. Specs, What specs?

    6. Testing. Why?

    7. The client doesn't want security.

    8. The client is not paying for security.

    9. We have more projects to complete.

    10. Your a developer, so develop and don't make smart remarks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018