Outsourced Software Development Poses Risk

MBA (4/8/2008 ) Palaparty, Vijay
While organizations focus on advancing communication and transaction technologies by relying on software applications, they may be leaving a window open for cyber criminals. Organizations outsourcing software development activity to third parties face more security risks, said a report from Quocirca Ltd.

“Organizations are not doing enough to build security into applications on which their businesses rely,” said Fran Howarth, analyst at QuoCirca, Berkshire, United Kingdom, and author of the report, Why Application Security is Critical. “They are entrusting large parts of their development needs to third parties. This creates an even greater onus for organizations to thoroughly test all code generated for applications—without which they could be playing into hands of hackers.”

Financial services organizations were identified in the report as most likely to outsource code development. Seventy-two percent of financial services organizations surveyed said they outsource more than half their development practices and 84 percent reported that code development is business critical.

Sixty percent of all organizations, however, do not mandate security when outsourcing development, the report revealed. Furthermore, all organizations that admitted to being frequently hacked said they outsourced at least some of their coding practice—90 percent of companies surveyed outsourced almost half of their application development.

“The processes and systems that run companies today are built in software applications that were designed to be open, which makes them inherently insecure,” said Roger Thornton, founder and CTO of Fortify Software, San Mateo, Calif. “Through outsourcing, customer self-servicing offerings and the like, enterprises invite people into their network in order to do business better and quicker, but they leave themselves and their corporate assets to attack and exploitation. Without assuring the security of the software applications that run your businesses, you expose your enterprise to unnecessary and costly risk.”

Web 2.0 technology adoption is high, which the report said is among the least understood and perhaps the most insecure of technologies. Companies are managing its use through policies alone. Fifty-eight percent of respondents use Web 2.0 applications, including those that develop it in-house. Of the 58 percent, 39 percent govern usage through policies and more than 10 percent place no restrictions on its use at all.

Service-oriented architecture is also presenting new vulnerabilities—technology that 66 percent of respondents adopted or are in the process of adopting.

“Adoption rises, potentially leaving organizations more vulnerable to attack as some of these applications would originally have been intended for internal use only and therefore developed without concern for today’s security threats,” Howarth said.

The study, which is based on a survey of 250 IT directors, senior IT managers and C-level executives in Germany, the United Kingdom and the United States showed that more than 10 percent of U.K. respondents spend more than 15 percent of their IT budget on security, but are the least likely to use automated tools for application cycle.

“Using automated tools for building security into the software development lifecycle translates to lower overall spend on IT security,” Howarth said. “Yet most respondents could do more to improve security. For example, only 25 percent of respondents use risk rating systems for testing code against known vulnerabilities.”

On the other hand, 96 percent of German organizations spend less than 10 percent of their IT budgets on security and make the optimize the use of automated tools for building security into applications during the early stages of the software development cycle.

“The fact that software applications contain flaws that can be exploited by hackers is nothing new,” Howarth said. “It is an alarming trend that organizations are increasingly reliant on bespoke applications to maintain a competitive edge, and are outsourcing a significant proportion of the coding for these applications to third parties."

He said new programming techniques and technology are a result of businesses trying to be more efficient—some of which are known to introduce vulnerabilities into applications yet are not understood well. "It is now more imperative than ever for organizations developing software applications to use automated tools to ensure that security is built in at an early stage of the development lifecycle to significantly reduce the risks to which organizations are being exposed," Howarth added.