Despite the number of application security breaches that find their way into the news, most developers care passionately about writing secure code. However, developers’ top priorities for protecting the company’s assets aren’t necessarily the same items that the IT department cares about.
The rise of BYOD means that apps of all shapes and sizes are becoming part of the way work gets done in large enterprises. While security is on the checklist for developers, how they think about security differs from IT teams. Knowing the difference can help bridge the divide and bring added security from multiple fronts.
Writing secure code is just one part of the process of building quality software. The “make it secure” checkbox has to compete with plenty of other goals, such as application performance, a sleek user interface, and responding to user caprice (“it’s just one more feature…”). Happily, a high percentage of applications are built with a security-first attitude, and programmers dedicate attention to bullet-proofing their code from hackers (such as protection from SQL injection vulnerabilities).
However, the way the software is deployed can erase a developer’s best efforts. If the application and its data is loaded onto mobile devices with insecure data management, wide-open networks, or poorly managed passwords, it puts the corporate assets are at risk. That can drive developers nuts, when they work so hard to make their code as secure as a tank… only to watch an IT department or end-user make unauthorized access all-too-easy.
According to the most recent Evans Data North American Development Survey, developers are quite concerned about malicious activities directed at their companies. They know that plenty of bad guys are motivated to access business applications and the data stored within. In fact, of the four types of outside entities that might threaten their organizations – stealing data, snooping data, reverse-engineering applications, or stealing source code – the most concerning to developers is the theft of content and data. The largest percentage, 59% of developers, view “stealing your content or data” as very concerning. In contrast, 46% are very concerned about the reverse engineering of code.
So, in their eyes, where are the most worrisome weaknesses? According to the Evans Data report, developers’ primary security concerns are in unauthorized access to mobile devices (24% cite this as the top concern), mobile malware and viruses (20%), and identity theft (18%). When developers work in large organizations (with over 1,000 employees), their attention is even more riveted by unauthorized access (27%) and identity theft (22%).
That’s not to say that developers don’t care about other items; they do. But only one can be top-of-mind, which implies that the development team invests less time building in security for the secondary concerns.
I am not pointing fingers here. Developers have plenty to do to ensure the applications they build incorporate basic (and not-so-basic) security measures, not to mention compliance with governmental regulations and privacy requirements. And, oh yeah, software features.
Of particular interest to IT departments and CIOs: Only 10% of North American developers overall – and just 4% of developers working in large companies – see physical security as the primary threat in relation to information security and access control on mobile devices. Thus they are unlikely to build in application-specific kill-switches or other means to cope with lost or stolen devices.
But if developers look to the left, IT has to look to the right. If there are potential application security vulnerabilities that are not top-of-mind for developers, IT has to pay attention to those “secondary” items. When it comes to the interaction of internal applications and physical security, the IT department needs to ensure it’s protecting against those risks.
Source: Evans Data Corp. North American Development Survey, Volume 1, 2014
In an ideal world, developers and IT work together to ensure that the organization stays safe. By considering which department pays attention to which security concern, both sets of stakeholders can work together for a common goal.
Interested in learning about trends related to data protection? Download our popular report.