|
In a new report released by European information technology analysis group, Quocirca, organisations that admitted to being frequently hacked, all outsource at least some of their coding practice, with 90 percent outsourcing more than 40 percent. The report, which was based on a survey which was carried out amongst 250 C level executives and IT directors from mainly 1000+ employee sized corporations from the UK, US and Germany, also states that over 60 percent of companies that outsource the coding of their critical applications do not mandate that security must be built into the applications. In fact, 20 percent of UK companies do not even consider security when building their applications.
Of the organisations stating that software code development is business critical or important, 50 percent outsource more than 40 percent of their code development needs.
Statistics already show that the software application layer is where most hackers are accessing critical data. According to NIST (National Institute of Standards and Technology), 92 percent of vulnerabilities affecting computer networks are contained in software applications. As organisations increasingly look to outsource application development, more components of software applications are being developed outside of their direct control.
An organisation that has not developed the code itself can never be absolutely certain that it is secure. However strong a relationship with a third-party developer, or watertight the service-level agreements in place, a rogue developer can place vulnerabilities in the code that they develop—for example, by placing a backdoor in software that can be used to infiltrate a network in the future.
In the report, financial services companies are identified as the most likely to outsource their code development needs and therefore could be putting themselves at serious risk, with 72 percent reporting that they outsource more than 40 percent. 84 percent of these organisations report that code development is business critical or important.
Public sector organisations are also big outsourcers, with 55 percent outsourcing over 40 percent of their code development.
At the other end of the scale are utility companies, the highest of all the industries to cite software development as business critical or important at 90 percent. Just 7 percent of utility companies outsource more that 8 percent of code development.
Fran Howarth, principal analyst at Quocirca and author of the report said: “The findings of this report indicate that not enough is being done by organisations to build security into the applications on which their businesses rely. Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organisations to thoroughly test all code generated for applications—without which they could be playing into the hands of hackers.”
Other key findings in this study are:
* Exposure to Web 2.0 technologies — among the least understood, but considered to be among the most insecure technologies — is high, but many manage their use through policies alone.
* Organisations are exposing their applications to new security threats through use of Service Oriented Architectures SOA.
* Data protection is the key driver behind application security for the vast majority.
* Using automated tools for building security into the software development lifecycle translates to lower overall spend on IT security.
The report was supported by Fortify Software and can be downloaded here:
www.fortify.com/quocirca (registration required).
•Date: 11th April 2008• Region: World •Type: Article •Topic: IT continuity
Rate this article or make a comment - click here
|
