Top 5 security mistakes software developers make

Creating and enforcing the best security practices for application development teams isn’t easy. Software developers don’t necessarily write their code with these in mind, and as the appdev landscape becomes more complex, securing apps becomes more of a challenge to handle cloud computing, containers, and API connections.

Security flaws were found in 80% of the applications scanned for Veracode’s annual state of software security report, most of them covering well known issues that have been part of web apps for years. Akamai’s latest State of Internet Security report analyzed traffic through its infrastructure found that “web attacks against applications and APIs surged by 49% between Q1 2023 and Q1 2024. The exponential growth in demand for applications and APIs has transformed them into lucrative targets for threats actors who are seeking to exploit security gaps to gain unauthorized access to their intended target’s valuable data.”

Over several decades, software developers have seen a variety of security initiatives proposed to fight these trends, such as secure by design, defense in depth, shifting left, devsecops, and other lofty titles. But the problem of insecure apps persists. This is because a single poorly made app can provide an open door into an enterprise’s entire network and bring about a massive data breach.

Here are five starting points to prevent bad decisions that could have major enterprise security consequences and suggestions on how to avoid them and strengthen your security posture.

Bad input controls

Writing any code starts with understanding what data inputs are needed, and that means paying attention to how these inputs are consumed by an application. Having few if any controls over these inputs is how cross-site scripting or SQL injection attacks happen, because these (and other exploits) take advantage of lax input controls.

“A very common practice is the lack of or incorrect input validation,” Tanya Janca, who is writing her second book on application security and has consulted for many years on the topic, tells CSO. Snyk also has blogged about this, saying that developers need to “ensure accurate input validation and that the data is syntactically and semantically correct.” Stackhawk wrote, “always make sure that the backend input is validated and sanitized properly.”

Given the frequency of this advice, why do we still have apps without proper input controls? One reason is that often developers begin writing their apps without controls to simplify testing, and just forget to go back and review their work. Another is that their focus isn’t on security initially or perhaps ever — which was the genesis of the “shifting left” movement.

CISA latest best practices recommends that products systematically enforce parameterized queries and separate command inputs from the contents of the commands themselves.

Bad authentication and lax permissions

A second common problem has to do with the lack of solid authentication and role-based permissions in applications. This isn’t anything new, but often neglected by appdev teams in the rush to write and post more code. Here the basics of creating and staying on top of access rules, implementing multifactor authentication (especially for managers and administrators), and eliminating default (or absent) passwords from any coding project or resources are important.

One aspect of lax authentication has to do with what is called “secrets sprawl,” the mistake of using hard-coded credentials in the code, including API and encryption keys and login passwords. Git Guardian tracks this issue and found that almost every breach exposing such secrets remained active for at least five days after the software’s author was notified. They found that a tenth of open-source authors leaked a secret, which amounts to bad behavior of about 1.7 million developers.

Fixing this fault is often echoed in numerous best practice screeds, both from individual vendors to CISA’s own documents. The goal here is to determine who actually needs access to each specific resource, and to periodically monitor that relationship to ensure the roles are still valid. This also means removing any credentials once the data access is no longer needed and doing regular audits of these credentials and permissions.

Bad API protection and enumeration

As APIs proliferate and as applications become more connected to each other, developers need to protect this communications path and ensure its safe to use. Almost every one of the 400 surveyed by Salt Security has experienced security problems in production APIs during 2023, and 17% of them were subject to an API-related breach, according to their State of API Security Q1 2023 report. “Unfortunately, threats keep growing and the potential attack surface has continued to increase,” Adam Rocker of OPSWAT tells CSO.

Witness what happened at the Internet Archive last month, when they experienced three separate breaches all involving poorly protected API keys. “APIs exposed on public-facing assets increase the attack surface, and are priority targets for malicious actors,” Dale Koeppen, a senior analyst with Gartner tells CSO. “The application attack surface has increased exponentially and this has led to compromised code that is rushed and brought to market.”

“It’s very easy to find API’s that aren’t behind an API gateway,” Janca tells CSO. “And if they are exposed to the internet, someone bad is going to find them, and then exploit them.”

Developers need to continually test for API vulnerabilities and monitor API traffic in real time to identify threats and streamline response, according to Amiram Shachar, Upwind.io CEO. “And API security shouldn’t be a standalone tool but part of an overall cloud security package.”

According to F5 2024 State of Application Strategy report, 41% of organizations surveyed manage at least as many APIs as they have individual apps. They predict that the proportion of APIs will continue to increase as AI implementations move forward and as more complex apps are constructed.

But having an API gateway is just one part of an overall API governance strategy, as the Internet Archive developers have sadly discovered. Organizations need to be consistent and holistic in applying security policies across their entire API infrastructure and be able to adapt to emerging threats and anomalous behavior.

Bad tools

Let’s move on to talk about tools. There are two parts of the tooling challenge of maintaining high appsec security. First is in collecting the right set of tools to help find and fix problems. The reason this is a challenge is because there is no single general-purpose security tool, and that means your tooling choices will require careful study to ensure as few coverage gaps as possible.

Gartner suggests three different kinds of tools to start:

• An API gateway. These perform two major tasks: They maintain an overall inventory of all APIs to make troubleshooting problems easier and they test and then help to investigate third party vendors and monitor all APIs for suspicious activity.
• Code scanning and testing tools which help developers spot coding errors and identify and resolve vulnerabilities. These tools help secure the software supply chain while the code is being written, preventing calamities such as the SolarWinds Orion exploit of 2020.
• A so-called web application firewall actually protects all applications from attacks  such as SQL injection. These typically operate at higher protocol levels, but they can also be used to stop lower-level network-based attacks such as DDoS or botnets. 

But there is a second issue that goes to understanding security culture so you can make the right choices of tools that will actually get deployed by your developers. Jeevan Singh blogs about this issue, mentioning that you have to start small and not just go shopping for everything all at once, “so as not to overwhelm your engineering organization with huge lists of vulnerabilities. You have to look at these vulnerabilities and understand and prioritize what data you are trying to protect.” Singh has found that many organizations select the wrong ones for their business needs. “They don’t operationalize their tools, meaning they aren’t integrated into any daily processes.”

Veracode’s message is simple: scan your apps often, scan them using a variety of technologies, and understand the bigger picture of how apps are built and modified to do continuous remediation.

There are a few application security products that combine multiple categories — what Koeppen calls traffic processing engines — such as from Barracuda, Imperva and F5. That consolidation can help eliminate tool and alert fatigue, which ultimately leads to spending a lot of time chasing false positives. “The biggest challenge is in handling overall risk management properly,” he tells CSO. “We need to streamline this and consolidate multiple tools wherever possible.”

Using automation badly

That brings us to the last issue, using automation infrequently or not very effectively. Even with the best tools, alerts can pile up and take time to analyze. This is where generative AI can help, because it can quickly identify false positives, connect the dots among alerts that require immediate attention, and provide quick remediation, thereby increasing security across an enterprise. “The biggest problem with security software, especially website and API protection is the prevalence of false positives,” Venky Sundar, president of Indusface, tells CSO.

Automation is essential to the modern appsec environment, especially as an aid to performing regular penetration and vulnerability testing. This advice is echoed by numerous security experts, including the Open Web Application Security Project (OWASP) and CISA.

“Effectively using AI can help with eliminating or reducing false positives to a bare minimum and encourage more businesses to use WAFs to block them,” says Sundar.

AI can also be used to filter and reduce alert fatigue. The security vendors are moving quickly, and many tools now come with generative AI enhancements and ways to use machine learning models to be more responsive at spotting malware and identifying malicious trends.

Despite these issues, the overall landscape shows some signs of hope. Veracode stated in its report that the proportion of the highest-severity coding flaws is now half of what it once was back in 2016. But serious coding errors remain, and on average, a typical app has 42 flaws per megabyte of written code. That is still too high a number.

Janca offered some hope: “Things are getting better overall. New developers tend to be more security conscious than developers that were trained a long time ago.”