Internally Developed Applications

The top challenge with remediating identified vulnerabilities for internally developed web applications is a simple lack of resources. The developers who created the application probably are already working on another project. Now the business owners must weigh the potential risk of the vulnerabilities against having to delay the release of another project.

Another group of issues revolves around the practice of outsourcing the development of web applications. When organizations do this, they are then bound to the parameters of the development contract. Speaking from experience, a vast majority of these contracts fail to adequately cover the remediation of security vulnerabilities. This is usually traced back to a critical error of omission whereby functional defects are covered in the contract language but security vulnerabilities are not.

Because of this oversight in the contract language, to remediate vulnerabilities in outsourced applications, a new contract and project need to created. These obviously have an associated cost, which leads to the last main roadblock. Again, business owners must weigh the potential risk of an application compromise against the tangible cost of initiating a new project to remediate the identified vulnerabilities. When weighing these two options against each other, many organizations unfortunately choose to gamble and not fix the code issues and simply hope that no one exploits the vulnerabilities.