Security experts blame developers for holes

NEWS Almost half of all applications have security flaws that are both serious and easily exploitable. According to the latest research from security experts @stake, all of the flaws it discovered were easily preventable if software companies employed reasonably secure development processes. Avi Corfas, executive VP for EMEA @stake, said: "All applications have flaws in them. However, what we looked for were flaws that were not only potentially very damaging, but also easily exploitable by hackers. He told silicon.com: "We found that 47 per cent of applications had this worrying combination of properties." Corfas would not be drawn on what companies software @stake had studied to reach the findings but said the levels of security from different vendors varied enormously. Some applications in the study had 80 per cent less risk of being compromised than others. Corfas said the problems are simple to solve if addressed at the design stage. "Seventy per cent of the flaws came from the design of the applications, rather than the deployment. It is so much cheaper to fix security problems during design than implementation," he said. @stake identified a number of common mistakes by application developers. Firstly, insufficient attention is paid to secure methods of authenticating users. In addition, multi-tiered programs are designed to implicitly trust information passed from tier to tier, giving hackers an easy ride. Corfas called on the application development houses to do more. He said: "Many companies still don't seem to have realised the implications of opening their programs up to the internet. With applications designed to let people like customers and partners in, the boundaries become more diffuse and internal security that much more important."