|
Fortify Software: Outsource your code & you're more likely to be
hacked; More than 60% of companies overlook mandating security when
outsourcing
(M2 PressWIRE Via Thomson Dialog NewsEdge)
RDATE:07042008
London (UK) -- In a new report released by European information
technology analysis group, Quocirca, organisations that admitted to
being frequently hacked, all outsource at least some of their coding
practice, with 90 percent outsourcing more than 40 percent! With this
in mind the hacker's future looks rosy as outsourcing applications is
on the up, with 78 percent of organisations that say software
development is business critical for them choosing to outsource their
vital applications. But security is being left out in the cold-with
companies failing to build security in when they outsource the
development of their critical applications, according to a report
released today by Quocirca and supported by Fortify Software.
The survey has found that over 60% of companies that outsource the
coding of their critical applications do not mandate that security must
be built into the applications. In fact, the study has uncovered the
chilling statistic that 20 percent of UKcompanies do not even consider
security when building their applications-thus potentially leaving a
great big stable door open to the hacking community. Yet outsourcing
is very much on the up.
The report which was carried out amongst 250 C level executives and IT
Directors from mainly 1000+ employee sized corporations from the UK, US
and Germany, reveals that outsourcing of code development is
widespread-and growing in importance. From this study of the
organisations stating that software code development is business
critical or important to them, 50 percent outsource more than 40
percent of their code development needs.
Statistics already show that the software application layer is where
most hackers are accessing critical data. According to NIST (National
Institute of Standards and Technology), 92 percent of vulnerabilities
affecting computer networks are contained in software applications. As
organisations increasingly look to outsource application development,
more components of software applications are being developed outside of
their direct control.
An organisation that has not developed the code itself can never be
absolutely certain that it is secure. However strong a relationship
with a third-party developer, or watertight the service-level
agreements in place, a rogue developer can place vulnerabilities in the
code that they develop-for example, by placing a backdoor in software
that can be used to infiltrate a network in the future. This is
something TS Ameritrade found out to its cost when it was forced to
disclose in 2007 that personal details regarding 6.3 million customers
had been leaked through a vulnerability caused by a backdoor created by
an outsourced programmer.
Howard Schmidt, Member of Fortify Software Board of Directors and
previously Cyber Security Advisor for the White House said: "These
survey results help explain the recent, sudden rise in data breaches
and should serve as a wake-up call to any executive whose company sits
on a pile of mission-critical application code. "
In the report, financial services companies are identified as the most
likely to outsource their code development needs and therefore could be
putting themselves at serious risk, with 72 percent reporting that they
outsource more than 40 percent. Disturbingly, 84 percent of these
organisations report that code development is business critical or
important.
Public sector organisations are also big outsourcers, with 55 percent
outsourcing over 40 percent of their code development. Also, 64
percent stating code development is only of moderate importance to them.
At the other end of the scale are utility companies-the highest of all
the industries to cite software development as business critical or
important at 90%, however just 7 percent outsource more that 8 percent
of code development.
Fran Howarth, Principal Analyst at Quocirca and author of the report
said: "The findings of this report indicate that not enough is being
done by organisations to build security into the applications on which
their businesses rely. Not only that, but they are entrusting large
parts of their application development needs to third parties. This
creates an even greater onus for organisations to thoroughly test all
code generated for applications-without which they could be playing
into the hands of hackers."
The fact that software applications contain flaws that can be exploited
by hackers is nothing new. That organisations are increasingly reliant
on bespoke applications to maintain a competitive edge, and are
outsourcing a significant proportion of the coding for these
applications to third parties, is an alarming trend. That said, German
organisations are better at building in security than both their UKand
US counterparts. As electronic crime continues to increase,
organisations are under pressure to be seen to be more proactive about
IT security. This is not only something that makes common sense but
also is increasingly a requirement being placed on organisations across
a wide range of industries by governments and industry regulators.
Fortify, who are advocates of Business Software Assurance, a holistic
approach to protecting corporate digital assets at the most fundamental
level, recommend that if a company outsource the development of
critical applications, they should follow these guidelines:
Work with the outsourced vendor to fully understand what processes and
procedures are in place to assure software security.
Review contract language and procurement procedures so outsourcers
assume liability for software vulnerabilities
Make sure outsourcers are applying testing and assurance technologies
on all code developed offsite.
Other key findings in this study are:
Exposure to Web 2.0 technologies-among the least understood, but
considered to be among the most insecure technologies-is high, but many
manage their use through policies alone
Organisations are exposing their applications to new security threats
through use of a Service Oriented Architectures SOA
Data protection is the key driver behind application security for the
vast majority Using automated tools for building security into the
software development lifecycle translates to lower overall spend on IT
security
The information in the report is based on a survey of 250 IT directors,
senior IT managers and C-level executives in Germany, the UKand the US.
It was completed in December 2007 and January 2008. Those surveyed
included organisations from 1,000 employees up to large multinationals
within a wide range of industrial sectors.
Insert link to report on Fortify website.
Report can be downloaded here:
www.fortify.com/quocirca
Fortify is offering security professionals the opportunity to benchmark
their security practices against industry averages. This survey is
available at:
http://www.nkv5.com/fortifysoftware/survey/2008_01_survey.php
About Quocirca Ltd
Quocirca is a primary research and analysis company specialising in the
business impact of information technology and communications (ITC).
With worldwide, native language reach, Quocirca provides in-depth
insights into the views of buyers and influencers in large, mid-sized
and small organisations. Its analyst team is made up of real-world
practitioners with first hand experience of ITCdelivery who
continuously research and track the industry.
Quocirca reports are freely available to everyone and the full text of
this report may be requested via www.quocirca.com.
About Fortify Software, Inc.
Fortify Software products protect companies from the threats posed by
security flaws in business-critical software applications. Its software
security products-Fortify SCA, Fortify Manager, Fortify Tracer and
Fortify Defender-drive down costs and security risks by automating key
processes of developing and deploying secure applications. Fortify
Software's customers include government agencies and FORTUNE 500
companies in a wide variety of industries, such as financial services,
healthcare, e-commerce, telecommunications, publishing, insurance,
systems integration and information management. The company is backed
by world-class teams of software security experts and partners. More
information is available at www.fortify.com
CONTACT: Yvonne Eskenzi, PR for Fortify Software
Tel: +44 (0)20 7183 2832
e-mail Yvonne@eskenzipr.com
((M2 Communications Ltd disclaims all liability for information
provided within M2 PressWIRE. Data supplied by named party/parties.
Further information on M2 PressWIRE can be obtained at
http://www.presswire.net on the world wide web. Inquiries to
info@m2.com)).
Copyright ? 2008 M2 Communications Ltd.
[ Back To TMCnet.com's Homepage ]
|
