With outsourcing seemingly on offer as the universal scapegoat, it was only a matter of time before the trend to outsource the coding of applications was cited as a security risk.
According to analyst group Quocirca, which surveyed 250 IT directors and executives in the US., the UK and Germany on behalf of Fortify Software, ninety percent of the organisations that admitted to having been 'hacked' had also outsourced more than 40 percent of their applications to third parties.
It seems that security is an afterthought in an alarming number of such outsourcing deals with sixty percent of respondents admitting to not mandating security from scratch, while 20 percent of those surveyed in the UK failed to accommodate security at all in the outsourced applications. "These survey results help explain the recent, sudden rise in data breaches and should serve as a wake-up call to any executive whose company sits on a pile of mission-critical application code," said Fortify board member and former White House cybersecurity advisor Howard Schmidt.
Large organisations are increasingly relying on custom-made software to give their businesses a competitive edge, but this carries risks. "That organisations are increasingly reliant on bespoke applications to maintain a competitive edge, and are outsourcing a significant proportion of the coding for these applications to third parties, is an alarming trend," said the report. "The need to make business processes more efficient is leading them to expose more of their applications through the use of new programming techniques and technologies, some of which are known to introduce new vulnerabilities into applications, but which are not yet clearly understood."
But given that security awareness has theoretically never been higher, what's causing this lapse? The report mainly blames the way companies have become caught up in hype about new technologies, most notably Web 2.0 and service-oriented architectures (SOA), and their abilities to open up applications to customers and partners.
US companies outsource software development the most, with 61 percent of those surveyed reporting that they outsourced more than 40 percent of their programming. Financial services companies were found by the survey to be the most likely to outsource their software development. In that sector 72 percent of surveyed companies said they outsource more than 40 percent of their software development.The strength of the UK's financial services industry and its regulatory regime means that outsourcing systems development is not as prevalent although the UK's take-up of Web 2.0 is closer to that of US firms. "Outsourcing of code development is widespread. However, given the lack of visibility into coding practices, it is fundamentally insecure," said the report
.
Companies are also up against a new type of hacker, the report noted. "Hackers are becoming more sophisticated, no longer looking to launch widespread attacks for notoriety β instead they are launching stealth attacks against specific targets for financial gain," it said. "New types of attack are becoming more common that target areas where defences are the weakest - the software applications that run on computer networks. New types of hackers are emerging that look for insecurely written code and hunt for vulnerabilities in software applications that will allow them to steal information generated by those applications."
Overall, it's clear that security is not being taken seriously enough, said Fran Howarth, principal analyst at Quocirca and author of the report βThe findings of this report indicate that not enough is being done by organisations to build security into the applications on which their businesses rely," said Howarth. "Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organisations to thoroughly test all code generated for applications β without which they could be playing into the hands of hackers.β