Poor web applications put firms in peril

Poorly tested web applications are bad for business and bad for security, according to Compuware

Software development experts have warned that many IT departments are failing to realise the impact that poorly designed web applications can have on the security of their enterprise, and said many lack the skilled staff and processes necessary to develop secure applications.

Solutions Manager at IT services company Compuware, Sarah Saltzman, told IT Week that vulnerabilities in web applications make them an easy target for hackers, but many organisations overlook the importance of developing secure code in favour of more traditional measures such as firewall and network maintenance.

"Firewalls are a good first defense, but if someone is sufficiently determined to get in, vulnerabilities in code are the highest level priority," she said. "The web application space is where we need to focus attention."

Saltzman added that many developers may not have had training in understanding how security vulnerabilities can be exposed and what coding practices they need to adopt in order to ensure secure apps, and she called for a more disciplined approach to software development.

"As IT has grown, structure and formality has been diluted by sheer numbers, " she argued. "[Developers] are taking steps to analyse code but the discipline has been diluted – we need to embrace security as part of application reliability."

A cultural change is needed in enterprises to ensure security is placed at the forefront of software development, and this must come from the boardroom as it is a matter of good corporate governance, Saltzman added.

"It all boils down to having a security-conscious culture which has to come from the top," she said. "Security [usually] becomes the most important issue only when there has been a breach and then it's too late."