Verizon Business hopes to cash in on the customer need to shore up insecure applications with a new service introduced on Thursday. The Verizon Business Application Security Program is aimed squarely at the dynamic and sometimes chaotic development environments within U.S. enterprises.
"Businesses are often stuck in a Catch-22 situation when it comes to applications," Kerry Bailey, Verizon Business senior vice president of global services, said in a statement. "While enterprises must adopt new applications to conduct their day-to-day operations and remain competitive, the focus tends to be on functionality and efficiency, not security.
Insecure applications are quickly becoming the most vulnerable chink in enterprise armor when it comes to keeping hackers at bay, particularly as organizations accelerate their output to satisfy demand for Web 2.0 technology. According to application security vendor WhiteHat security, approximately 70 percent of the Websites it scans have at least one critical vulnerability.
“We have 17 million programmers in the world and I doubt one percent of them have had any kind of formal or informal education in secure software development,” Jeremiah Grossman, CTO and founder of WhiteHat Security. “That is a whole mess of code being generated every day by those who don’t know how to write secure code.”
In its 2009 Data Breach Investigations Report, Verizon Business found that of 90 the breaches in 2008 that it examined, 79 percent were compromised via web applications. While the security industry has endeavored to staunch the bleeding by applying band-aids such as web application firewalls and software patches, the only way to truly close up these holes is to do develop the right way the first time, says Michael Howard, a secure coding expert and principal security program manager for Microsoft.
“The best bug is the bug that was never written,” says Howard, who is the author of The Security Development Lifecycle.
While there are certainly a number of specialized application development tools and services out in the market that address secure coding practices, Howard, Grossman and others say the issue is systemic. Too many developers and dev leads are clueless to the process because the philosophy has not saturated into the market or the education system.
“We are still hiring people who still know nothing about this stuff, people out of school,” Howard says, “and I see very, very few schools adopting what I could consider basic programming skills.”
The introduction of this new service from a large MSP such as Verizon Business could mark a new push toward mainstreaming secure application development. The program it is introducing takes a risk-based approach to application development, focusing on processes and procedures underlying development. And as a part of the program the company is introducing a new certification that verifies certain controls, policies and procedures meet a given set of standards.