One doesn’t have to look far to see software is vulnerable, and who better to discuss the perceived state of software security than developers. With that in mind, Netsparker recently conducted a survey that looked at the views of developers on eactly this subject.
Let’s start with the good news. According to the NetSparker survey, 89 percent of web developers report that they keep their web server software up to date. While there was no window defined that was published in the survey as to what that means (is up to date the day patches are released? The week? Month? Quarter?) it’s generally good news that enterprises are trying to stay on top of patching. And, broadly, keeping software up to date has improved much over the years.
There’s were the good news ended. The rest of the results were not as cheery. For instance, more than half of the web developers surveyed admitted to the practice of running potentially vulnerable web applications on their notebooks connected to the Internet. What a great way to pop the box of a developer.
While there wasn’t much context provided around the question, surveyed developers did report that 57 percent of web developers believe that their management doesn’t understand IT. We’ve written a lot about the communication disconnect in this blog over the past few years, especially when it comes to technology and risk. Technology people have a challenging time communicating (and it is their job to do so) to the business how technical vulnerabilities translate into business risk. Have a look at the posts here, here and here for more on that.
When it comes to speaking risk to business leaders and management, developers need (as does everyone in IT as well as the CISO) to have more conversations with these executives and explain, in terms of risks to the business, how that software and data changes risks and provide good options more minimizing that risk.
While this survey was targeted at developers, it’s important CISOs are part of this conversation. As we covered in The Need to Communicate Risks, CISOs need to be deeply engaged with developers and the business, because enterprise technology is moving so swiftly. “Such skills have never been more important for enterprises as they face considerable technical, market, competitive, threat action, and regulatory compliance risk. But to stay on top, CSOs will have to continuously be on the lookout for disruptive risks, and review new technologies and the environment on a continuous basis. If not, then disruptive technology may end up disrupting the enterprise in entirely avoidable and foreseeable yet excruciatingly painful ways,” we wrote in that post.
As we covered in The Importance of the CISO, if enterprises are to have any chance at securing their enterprises they need to have executive leadership that cares about cybersecurity, the alignment on what level of security they’re comfortable with and what it takes to get there, and someone who has c-level authority – a CISO – who owns the information security program. “Success comes down to “having constant, ongoing, and comprehensive conversations throughout the business about their technology systems and how they are being secured. Being successful requires having an executive in charge of security, having a strategy in place and continually updated, and then – and this is the kicker – being able to execute against that strategy,” we wrote.
Back to the survey. Which industries and technologies do developers believe to be most vulnerable? Well, 61 percent believe that the government is vulnerable to hacking, while the rest broke down as financial services (50 percent), media (44 percent), communications (32 percent), healthcare (31 percent), gaming (29 percent), energy (25 percent). When it came to big technological trends, 52 percent of developers believe IoT and smart home technologies are currently at the greatest risk, followed by, Smart TVs – 42 percent, Web apps and online services – 41 percent, connected cars – 35 percent, ATMs – 34 percent. Looking at those results, I’m surprised how many developers don’t view web apps and online services as the most vulnerable technologies – perhaps that just shows it is hard being critical of one’s own baby.