It’ll come as no surprise that many developers feel they are losing the battle against online criminals and data thieves. With ever increasing frequency, we hear of major security breaches at organizations users should be able to trust with their data. As more of the economy moves online, the potential rewards for hackers have increased exponentially. Developers feel beleaguered. In a reversal of the usual commonplace about criminals and those who fight them, hackers have the luxury of making as many mistakes as they need to before they hit on the right strategy. Developers pay dearly for any mistakes they make in the design and construction of secure systems.
Threats are moving faster than any developer can be expected to keep up with. EWeek writer Scott Petersen compares the current security scenario to the Kobayahsi Maru, a no-win test in which all choices lead to eventual failure.
“50 per cent of security professionals don’t believe security is capable of moving as fast as app release cycles; 65 percent said a lack of resources and organizational siloes are the main barriers to security getting into release cycles earlier.”
Although the increasing sophistication and determination of online criminals is a major factor in the continuing inadequacy of online security, the explosion in the scope and complexity of web applications and services plays its part. Ideally, security systems would be relatively simple. Simple solutions are easy to understand and less likely to contain bugs. But simple solutions aren’t applicable to the highly complex web application environment in which developers work. Most web applications consist of multiple layers on the server, including a database layer, and that’s before we talk about the containers, orchestration, and cloud infrastructure layers. Although there are full-stack developers with varying degrees of expertise in all these systems, for a large web application, it’s unlikely that any one developer has a comprehensive understanding.
Most modern web applications follow a security in depth approach, which can work if it’s done well, but it depends on development, operations, and management teams working in concert to apply security best practices right through the product lifecycle. There’s little point hardening the edges of a network if a developer allows arbitrary connections to the database from outside the network.
Which brings us to the final and probably most important reason that developers are feeling the pressure – lack of management investment in security. Web applications live and die by their features and performance. Both are crucial to the bottom line. Security really only becomes a business issue when something goes wrong, so developers are often incentivized to take shortcuts where security is concerned. It doesn’t have to be a conscious decision; a company culture that privileges features over security will naturally tend towards the building of insecure systems. Secure systems require deliberate thoughtful development with security as a core consideration — something that doesn’t always mesh with the headlong rush to get features into production.
If developers are being overwhelmed by the modern web’s constant struggle for security, only a commitment within companies to work together to put security front and center is likely to make a difference.