90% of web apps still have security issues & the coming cloud future
Report: 90 Percent of Web Apps Have Serious Flaws
InformationWeek – November 09, 2009
Nearly nine out of 10 Web applications have vulnerabilities that could lead to the exposure of sensitive information, a new report says.
I thought this was interesting. While the numbers themselves may be off because they’re vendor provided, the general trend doesn’t seem to be improving. In some companies at least, its moving in the wrong direction. Perhaps a new way of thinking about this problem is needed. What we as a team have been preaching for the last many years certainly can make vast improvements (and have made vast improvements by implementing SDL type programs) but we’re still far away from a world where any developer can write an app that does what it needs to, without having to conscientiously and explicitly think about a myriad of complex security concepts.
Which leads me to my next thought: would you be more enticed to use a cloud computing based infrastructure if you had a “5 nines” security SLA? What if the cloud provider not only hosted your site and your db, but also ensured full regulatory compliance, automated processes to detect/fix and prevent security issues before applications were ever deployed? As we’ve seen, in the traditional IT market, most security spend has been commoditized and forgotten about (even though plenty of issues remain and continue to cause problems). There is a possibility that cloud security will be used as a differentiator in the next few years as a “value add” or decision criteria, but, like anything else… will likely become commoditized in the future as well where it’ll be just expected, like availability and up time.