Tuesday, April 08, 2008

Outsourcing increases risk

Source : Click

Study shows companies neglect security

Leading application security vendor Fortify Software announced the findings of a new report released by European information technology analysis group, Quocirca, entitled, Why Application Security is Critical.

Today's businesses are increasingly relying on software development to maintain a competitive advantage, and this new report reveals that the widespread outsourcing of code development is putting these businesses at risk. As organizations increasingly look to outsource application development, they are leaving themselves severely exposed to data predators by failing to mandate security in the development of those critical applications.

According to the report, 50 percent of organizations stating that software code development is business critical outsource almost half of their code development needs. And, according to the report, more than 60 percent of companies don't mandate security when outsourcing development.

"The findings of this report indicate that not enough is being done by organizations to build security into the applications on which their businesses rely," said QuoCirca Analyst Fran Howarth, author of the report. "Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organizations to thoroughly test all code generated for applications -- without which they could be playing into the hands of hackers."

Recent, highly publicized data breaches at companies such as TS Ameritrade, TJX and Hannaford Brothers illustrate how software applications can often contain exploitable vulnerabilities. According to the Quocirca report, all organizations who admitted to being frequently hacked outsource at least some of their coding practice, with 90 percent of companies outsourcing almost half of their application development.

"The processes and systems that run companies today are built in software applications that were designed to be open, which makes them inherently insecure," said Roger Thornton, Founder and Chief Technology Officer of Fortify. "Through outsourcing, customer self-service offerings and the like, enterprises invite people into their network in order to do business better and quicker, but they leave themselves and their corporate assets vulnerable to attack and exploitation. Without assuring the security of the software applications that run your business, you expose your enterprise to unnecessary and costly risk."

In the study, financial services companies are identified as the most likely to outsource their code development needs, with 72 percent reporting that they outsource almost half of their development practices. 84 percent of these organizations report that code development is business critical. Public sector organizations are also big outsourcers, with 55 percent outsourcing over 40 percent of code development.