Developers do not view application security as a top priority, study finds

[Flash]

Developers do not view application security as a top priority, study finds

by Brian Stone in Security
on April 6, 2022
According to Secure Code Warrior’s State of Developer-Driven Security 2022 survey, 86% of developers said they do not view application security as a top priority when writing code.

The survey of over 1,200 developers also found that more than half of the respondents said they are unable to guarantee their code is safe from common security vulnerabilities. In addition, only 29% of those surveyed said they believe that code writing free of vulnerabilities should be prioritized...

And so on.

[Grey]

And so on.

"C'est la vie, messieurs", as people in France thoughtfully say (and not only)
It's all "la-la-la-la-la"... others say, not such thoughtful people

[user1111]

Unsurprising, as if effort is expended to better ensure security, that's wasted effort if the end user then leaves their windows (doors) wide open.

Google warning ... you agree that use of our services permits us to track and record as much about you as we can .... User - groans at being asked yet again and without even blinking they hit OK

All of internet data security is fundamentally founded on three elements, the clear text, a key, the enciphered stream. Given any two you can deduce the third, be that the clear text from the key + encrypted, or the key from the clear text + encrypted, or the encrypted from the key + clear text. Now think about how Google is also into DNS and Authentication systems. A DNS lookup turns a site name such as abc into a IP such as 1.2.3.4. where that IP is then used to make connections. When a user asks Google (such as via their commonly used 8.8.8.8 DNS server) for the IP of puppylinux.com Google feeds that IP back and maybe snapshots what the front page of puppylinux.com looked like at that time. Traffic analysis might then reveal what and when data flowed from the web site to the user around that time - such that they have copies of both the clear text (front page) and encrypted data that is associate to that user/IP, from which that yields the key used, as just another element of what is recorded against that user/IP. Enough keys associated to a particular individual and key analysis might predict what keys might be used in the future - facilitating near instant decoding as/when such data flows arise.

In some respects the same for banking. Bank clearance involves the likes of a UK resident making a transaction that even though to perhaps just another local UK resident/business that transaction flow goes all the way up to the top i.e. USA and back down again. Visibility of each/every transaction by a central entity, and that in the case of the recent Ukraine/Russia issues has the capacity for certain transactions to be blocked (Russian money/transactions).

Developers do not view security as a priority because users more often don't care about security, at least not until that bites. When others have high level details of your profile, name, address, bank details ...etc. its all too easy to spoof that individual, filter off large sums or partake in illegal activities in that persons name, and then disappear. For the individual that can lead to a decade or more of being in and out of Court trying to prove that debt/actions made in your name weren't actually you.

Same old story, the most common time to have a burglar/security system installed is after recently having been burgled. Same for software. Same for banking. After the horse has bolted.

[step]

All of internet data security is fundamentally founded on three elements, the clear text, a key, the enciphered stream. Given any two you can deduce the third, be that the clear text from the key + encrypted, or the key from the clear text + encrypted, or the encrypted from the key + clear text.

(bold style added)
Interesting. Do you know how easily can one deduce the key from clear text + encrypted text in a public/private key cipher such as the ones modern browsers use?

[user1111]

The public/private key is a separate factor, just one of the multi-layers involved in browsers (in order to agree a session encryption method).

Google provides DNS and Certificate Authority roles alongside its Browser so is well positioned to apply man in middle attacks. ... Revise the browsers trusted CA routes to point to its own CA servers, provide the IP you're directed to when you want to visit the PuppyLinux.com web site ... and they're in the middle where everything might look ok, but totally spoofed where a second leg is established from google to the target site and relayed both ways.

For TLS (session using symmetric keys, both sides using the same key to send/receive then given any two (clear,key,cipher) the third can be very quickly deduced, but in the context of the above wouldn't be needed anyway. For asymmetric, encoded using each others public key(s) that's "difficult" (slow) to crack, but again in context ... irrelevant.

[8Geee]

Well, in the USA at least, the ISP is the MITM. Heaven knows what data they collect (they ARE allowed to do this), and who gets it.