back to article 80 PER CENT of app devs SUCK at securing your data, study finds

Developers are experts in spinning wonderfully-shiny, horribly-insecure apps, according to research from Aspect Security. Social media meeting buttons and go-live dates rate far higher with app developers than the need to ensure the security of private data. Worse, devs couldn't secure apps if they wanted to, according to the …

  1. Mr C

    If you can't see it..

    and this is surprising.. how?

    playing devils advocate here (aka my boss)

    "You listen here son, build the damn app, nevermind about security and all that (nevermind about documentation either but thats another story) -- if we ever get to the point where we need security it actually means the app has become successful, so we will do security *then* with the revenues generated from it"

    My point, since security isn't a immediate money-generating-mechanism compared to, say, shiny buttons and flashy animations the money in the development process goes to the guy that draws stuff and much less to the extra time that a dev needs to be trained for (or to program) security features

    This is a deeper rooted problem, namely money being a driving force and the ROI in security only becomes evident after a product has become viable.

    Or, as the home-depot-security-tech-guy said to his friends "never-mind your credit-card, you better pay in cash"

    1. AbelSoul

      Re: If you can't see it..

      (aka my boss)

      "You listen here son, build the damn app, nevermind about security and all that (nevermind about documentation either but thats another story) -- if we ever get to the point where we need security it actually means the app has become successful, so we will do security *then* with the revenues generated from it"

      Your boss sounds remarkably like the boss I had in my first dev. job.

    2. Anonymous Coward
      Anonymous Coward

      Re: If you can't see it..

      What's surprising is the gargantuan result of 52%. Really? I believe it more like 12% passed. (that's me being generous).

  2. Paddy B

    Be interesting to see the question set...

    And see how the legions or El Reg commentards manage to score.

    We are obviously a step above as we read articles like this...

    1. ZSn

      Re: Be interesting to see the question set...

      Don't bet on it. It might be a bit embarrassing to find out just how bad I am at it!

      However the report is at:

      It requires an E-mail address however...

      1. Alpha Tony

        Re: Be interesting to see the question set...

        'It requires an E-mail address however...'

        ..Also a credit card number and your mothers maiden name.

  3. Callam McMillan

    I don't suppose they've made the test public? It'd be a great way to waste a bit of time learn something on a Tuesday morning!

  4. Anonymous Coward
    Anonymous Coward

    Tell us, then.

    A constructive approach would be a good education program, instead of just complaining to highlight the issue. Produce a readable and concise guide to making things better, something that will give devs more of a clue - a good overview should be possible within half an hour of reading - with pointers to where to find more information. If it's a 1300 page book, not many people will wade through it.

    1. Anonymous Coward
      Anonymous Coward

      If it's a 1300 page book...

      It will have taken so long to write, it will be out of date...

    2. ZSn

      Re: Tell us, then.

      Does that help?

  5. Andrew Moore

    Another view...

    I had a customer who called in one of these so-called security analysts to check over an app I'd developed for them. One of the big red flags in their report was that my app transmitted passwords in plaintext across an unencrypted internet connection. It doesn't but they refused to back down, saying they had documented proof. Turns out the person doing the testing had a habit of making his usernames and passwords identical.

    1. Mr C

      Re: Another view...

      some security analyst that must've been then :P

      1. Anonymous Coward

        Re: Another view...

        Or maybe just a realistic impression of an average user, and why you should explicitly disallow such a password, or send both encrypted?

        1. frank ly

          @Lis 0rRe: Another view...

          My first reaction was to say, "no, they are two separate items and the user should be free to choose."

          However, I wonder how many users actually do have identical usernames/passwords. Maybe experienced attackers try password=username as a quick and easy first attempt, just in case.

  6. Anonymous Coward
    Anonymous Coward

    50 sessions of grey

    "Developers must understand that session ids are just as sensitive as passwords and must be protected accordingly."

    That's very much a generalisation. Session IDs are already treated less sensitively than passwords: for example your session cookies are normally saved to your hard disk, whereas your password isn't. Several online shops allow you to browse and fill your cart using an old token, but won't let you check out until you've re-entered your password. Netflix might allow a session ID over an insecure channel to stream videos, knowing their system will automatically detect if somebody else tries to stream another video with the same session ID.

    If their quiz was a simple multiple-choice one with no nuances like this, then I can see why they found such low scores.

    Anon, because I can feel the warmth of the flames already.

  7. i like crisps

    Have they conducted this type of testing at Norton?

    just asking......

  8. Spearchucker Jones

    No surprise

    Everything you read about security says how difficult it is so don't attempt to do it without a security rocket surgeon. And that no system can be secure, so you're probably better off not even bothering. better off not even bothering. Agile people can't do anything (security) without a user story.

    The IT industry actively discourages security and then cries like a baby when someone gets broken into.

    Security is NOT difficult. It does require effort though. Effort to learn, and effort to implement, and effort to manage.

  9. Zog_but_not_the_first


    Protect data? I thought most apps were designed to slurp data if the "required permissions" list on my Android phone is anything to go by.

  10. Rich 2 Silver badge

    Not at all surprising

    Software dev falls into a few catagories - here's just a few that spring to mind :-

    1/ The guy in his bedroom hacking some iPhone/Android app - He doesn't give a monkeys about security; he's far too interested in how whizzy he can make the thing look (at the cost of normal functionaily)

    2/ An open source "community" project - Don't give a stuff about security either, as long as they have the new "skin" framework in place for the next release

    3/ "Proper" (I use the term loosely) engineering environment - Depends; if it's some industrial plant control then security issues might make a showing (Stuxnet? Oh yea.. .I forgot about that one). If it's some consumer electronics thing then the mantra from management is usually "get it out of the door ASAP so we can start on the next version". Needless to say, security tends to fall at the early hurdles.

    4/ Some start-up or e-commerce site - Security? Errr.... what's that?

    Lots of different reasons for security failure, but the end result is the same; nobody gives a fuck.

  11. Anonymous Coward
    Anonymous Coward

    There is at least one development tool vendor which Verity Stob knows very well....

    ... that is stubbornly refusing to implement proper security into its remoting framework - although it has been notified long ago of the issues.

    Not only it didn't implement security, but it's implementing more and more features on its broken framework, and adding new way for "apps" to communicate with each other without any sensible protection.

    Of course it's marketing its tool highlighting all the new bell and whistles for "app development" - development which is inherently insecure.

    And - not surprisingly, looking at this article - its customers don't care at all about their application security - all they want is really new shiny controls....

  12. Semaj


    Is this about apps (as in phone apps), web applications or just applications in general?

    The term "app" is so horribly varied that it's impossible to use it properly these days.

    As for the fact that most devs have poor security in web applications - yes that's probably the case for the reasons mentioned about (we've all been on the receiving end of Boss: "do it later"). But for (phone) apps it's even worse, mainly because there are hoops to jump through to allow SSL and on-device encryption, which many new, indie devs simply aren't going bother with.

  13. Otto is a bear.

    Our fault too

    How often are we all taken in by the shiny new products of features, how often do we say it's [Your Favourite IT Vendor] so it must be great, and go and buy. How often do we say hay great new idea, I must have it. And we don't just do it for IT either.

    Even I do that sometimes, and I really should know better. All we have to do is wait for the perfect product, and wait and wait and wait.......

  14. John Smith 19 Gold badge

    "Most responding devs were from the financial sector, with < 2 years' experience."

    So they thought they were quite good.

    Turns out they weren't.

    I think I'll be sticking with my no apps dumb mobile for some time to come.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like