80 PER CENT of app devs SUCK at securing your data, study finds

Be interesting to see the question set...

And see how the legions or El Reg commentards manage to score.

We are obviously a step above as we read articles like this...

I don't suppose they've made the test public? It'd be a great way to waste a bit of time learn something on a Tuesday morning!

Tell us, then.

A constructive approach would be a good education program, instead of just complaining to highlight the issue. Produce a readable and concise guide to making things better, something that will give devs more of a clue - a good overview should be possible within half an hour of reading - with pointers to where to find more information. If it's a 1300 page book, not many people will wade through it.

Another view...

I had a customer who called in one of these so-called security analysts to check over an app I'd developed for them. One of the big red flags in their report was that my app transmitted passwords in plaintext across an unencrypted internet connection. It doesn't but they refused to back down, saying they had documented proof. Turns out the person doing the testing had a habit of making his usernames and passwords identical.

50 sessions of grey

"Developers must understand that session ids are just as sensitive as passwords and must be protected accordingly."

That's very much a generalisation. Session IDs are already treated less sensitively than passwords: for example your session cookies are normally saved to your hard disk, whereas your password isn't. Several online shops allow you to browse and fill your cart using an old token, but won't let you check out until you've re-entered your password. Netflix might allow a session ID over an insecure channel to stream videos, knowing their system will automatically detect if somebody else tries to stream another video with the same session ID.

If their quiz was a simple multiple-choice one with no nuances like this, then I can see why they found such low scores.

Anon, because I can feel the warmth of the flames already.

Have they conducted this type of testing at Norton?

just asking......

No surprise

Everything you read about security says how difficult it is so don't attempt to do it without a security rocket surgeon. And that no system can be secure, so you're probably better off not even bothering. better off not even bothering. Agile people can't do anything (security) without a user story.

The IT industry actively discourages security and then cries like a baby when someone gets broken into.

Security is NOT difficult. It does require effort though. Effort to learn, and effort to implement, and effort to manage.

Not at all surprising

Software dev falls into a few catagories - here's just a few that spring to mind :-

1/ The guy in his bedroom hacking some iPhone/Android app - He doesn't give a monkeys about security; he's far too interested in how whizzy he can make the thing look (at the cost of normal functionaily)

2/ An open source "community" project - Don't give a stuff about security either, as long as they have the new "skin" framework in place for the next release

3/ "Proper" (I use the term loosely) engineering environment - Depends; if it's some industrial plant control then security issues might make a showing (Stuxnet? Oh yea.. .I forgot about that one). If it's some consumer electronics thing then the mantra from management is usually "get it out of the door ASAP so we can start on the next version". Needless to say, security tends to fall at the early hurdles.

4/ Some start-up or e-commerce site - Security? Errr.... what's that?

Lots of different reasons for security failure, but the end result is the same; nobody gives a fuck.

There is at least one development tool vendor which Verity Stob knows very well....

... that is stubbornly refusing to implement proper security into its remoting framework - although it has been notified long ago of the issues.

Not only it didn't implement security, but it's implementing more and more features on its broken framework, and adding new way for "apps" to communicate with each other without any sensible protection.

Of course it's marketing its tool highlighting all the new bell and whistles for "app development" - development which is inherently insecure.

And - not surprisingly, looking at this article - its customers don't care at all about their application security - all they want is really new shiny controls....

Our fault too

How often are we all taken in by the shiny new products of features, how often do we say it's [Your Favourite IT Vendor] so it must be great, and go and buy. How often do we say hay great new idea, I must have it. And we don't just do it for IT either.

Even I do that sometimes, and I really should know better. All we have to do is wait for the perfect product, and wait and wait and wait.......