More than 60% of companies overlook mandating security when outsourcing
London (UK); 7 April 2008 – In a new report released by European information technology analysis group, Quocirca, organisations that admitted to being frequently hacked, all outsource at least some of their coding practice, with 90 percent outsourcing more than 40 percent! With this in mind the hacker’s future looks rosy as outsourcing applications is on the up, with 78 percent of organisations that say software development is business critical for them choosing to outsource their vital applications. But security is being left out in the cold—with companies failing to build security in when they outsource the development of their critical applications, according to a report released today by Quocirca and supported by Fortify Software.
The survey has found that over 60% of companies that outsource the coding of their critical applications do not mandate that security must be built into the applications. In fact, the study has uncovered the chilling statistic that 20 percent of UK companies do not even consider security when building their applications—thus potentially leaving a great big stable door open to the hacking community. Yet outsourcing is very much on the up.
The report which was carried out amongst 250 C level executives and IT Directors from mainly 1000+ employee sized corporations from the UK, US and Germany, reveals that outsourcing of code development is widespread—and growing in importance. From this study of the organisations stating that software code development is business critical or important to them, 50 percent outsource more than 40 percent of their code development needs.
Statistics already show that the software application layer is where most hackers are accessing critical data. According to NIST (National Institute of Standards and Technology), 92 percent of vulnerabilities affecting computer networks are contained in software applications. As organisations increasingly look to outsource application development, more components of software applications are being developed outside of their direct control.
An organisation that has not developed the code itself can never be absolutely certain that it is secure. However strong a relationship with a third-party developer, or watertight the service-level agreements in place, a rogue developer can place vulnerabilities in the code that they develop—for example, by placing a backdoor in software that can be used to infiltrate a network in the future. This is something TS Ameritrade found out to its cost when it was forced to disclose in 2007 that personal details regarding 6.3 million customers had been leaked through a vulnerability caused by a backdoor created by an outsourced programmer.
Howard Schmidt, Member of Fortify Software Board of Directors and previously Cyber Security Advisor for the White House said: “These survey results help explain the recent, sudden rise in data breaches and should serve as a wake-up call to any executive whose company sits on a pile of mission-critical application code. “
In the report, financial services companies are identified as the most likely to outsource their code development needs and therefore could be putting themselves at serious risk, with 72 percent reporting that they outsource more than 40 percent. Disturbingly, 84 percent of these organisations report that code development is business critical or important.
Public sector organisations are also big outsourcers, with 55 percent outsourcing over 40 percent of their code development. Also, 64 percent stating code development is only of moderate importance to them.
At the other end of the scale are utility companies—the highest of all the industries to cite software development as business critical or important at 90%, however just 7 percent outsource more that 8 percent of code development.
Fran Howarth, Principal Analyst at Quocirca and author of the report said: “The findings of this report indicate that not enough is being done by organisations to build security into the applications on which their businesses rely. Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organisations to thoroughly test all code generated for applications—without which they could be playing into the hands of hackers.”
The fact that software applications contain flaws that can be exploited by hackers is nothing new. That organisations are increasingly reliant on bespoke applications to maintain a competitive edge, and are outsourcing a significant proportion of the coding for these applications to third parties, is an alarming trend. That said, German organisations are better at building in security than both their UK and US counterparts. As electronic crime continues to increase, organisations are under pressure to be seen to be more proactive about IT security. This is not only something that makes common sense but also is increasingly a requirement being placed on organisations across a wide range of industries by governments and industry regulators.
Fortify, who are advocates of Business Software Assurance, a holistic approach to protecting corporate digital assets at the most fundamental level, recommend that if a company outsource the development of critical applications, they should follow these guidelines:
- Work with the outsourced vendor to fully understand what processes and procedures are in place to assure software security.
- Review contract language and procurement procedures so outsourcers assume liability for software vulnerabilities
- Make sure outsourcers are applying testing and assurance technologies on all code developed offsite.
Other key findings in this study are:
- Exposure to Web 2.0 technologies—among the least understood, but considered to be among the most insecure technologies—is high, but many manage their use through policies alone
- Organisations are exposing their applications to new security threats through use of a Service Oriented Architectures SOA
- Data protection is the key driver behind application security for the vast majority
- Using automated tools for building security into the software development lifecycle translates to lower overall spend on IT security
The information in the report is based on a survey of 250 IT directors, senior IT managers and C-level executives in Germany, the UK and the US. It was completed in December 2007 and January 2008. Those surveyed included organisations from 1,000 employees up to large multinationals within a wide range of industrial sectors.
Report can be downloaded here: www.fortify.com/quocirca
Fortify is offering security professionals the opportunity to benchmark their security practices against industry averages. This survey is available at:
http://www.nkv5.com/fortifysoftware/survey/2008_01_survey.php