By Andrew Rose Security threats develop and evolve with startling rapidity, with the attackers always seeking to stay one step ahead of the S&R professional. The agility of our aggressors is understandable, they do not have the same service-focused restrictions that most organizations have, and they seek to find and exploit individual weaknesses in the vast sea of interconnecting technology that is our computing infrastructure. If we are to stand a chance of breaking even in this game, we have to learn our lessons and ensure that we don’t repeat the same mistakes over and over. Unfortunately, it is alarmingly common to see well known vulnerabilities and weakness being baked right in to new applications and systems – just as if the past 5 years had never happened! A recent report released by Alex Hopkins of Context Information Security shines a light on the vulnerabilities they discovered while testing almost 600 pre-release web applications during 2011. The headlines for me were: On average, the number of issues discovered per application is on the rise Two thirds of web applications were affected by cross site scripting (XSS) Nearly one in five web applications were vulnerable to SQL injection It makes depressing reading, but I’m interested in why this situation is occurring: Are S&R professionals simply not educating and guiding application developers? Are application developers ignoring the training and education? Are we teaching them the wrong things or do we struggle to explain the threats from XSS and SQL injection? Are our internal testing regimes failing, allowing flawed code to reach release candidate stage? In my experience, most developers are keen to learn how to write secure code and there are simple and effective solutions that can really help, such as coding standards, peer review, testing standards, reusable subroutines etc. This data, however, suggests that a fair amount of organizations are sadly overlooking these. Training and awareness is a topic I’ll be delving into later in the year, but I’d be interested in why you think that App Devs don’t seem to have turned the corner and what techniques you have found to be effective in improving the quality of your firm’s coding. Related content opinion Just Let Me Fling Birds At Pigs Already! Thoughts On The Snowden / Angry Birds Revelations By Tyler Shields By Forrester Research Jan 28, 2014 4 mins Mobile Security IT Leadership opinion LG Is Learning An Embarrassing Privacy Lesson In The Age Of The Customer By Rick Holland By Forrester Research Nov 22, 2013 3 mins IT Leadership opinion Rise Of The Second Mobile App War By Tyler Shields By Forrester Research Sep 04, 2013 3 mins Application Security opinion Point Solutions Must Die By Forrester Research Aug 19, 2013 4 mins Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe