Outsource your code & you're more likely to be hacked: more than 60% of companies overlook mandating security when outsourcing.In a new report released by European information technology analysis group, Quocirca, organisations that admitted to being frequently hacked Modified. Attacked. Having code altered. See hack and hacker. , all outsource at least some of their coding practice, with 90 percent outsourcing more than 40 percent! With this in mind the hacker's future looks rosy ros·y adj. ros·i·er, ros·i·est 1. a. Having the characteristic pink or red color of a rose. b. Flushed with a healthy glow: rosy cheeks. 2. as outsourcing applications is on the up, with 78 percent of organisations that say software development is business critical for them choosing to outsource their vital applications. But security is being left out in the cold--with companies failing to build security in when they outsource the development of their critical applications, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a report released by Quocirca and supported by Fortify Software Fortify Software is a Palo Alto, California-based software vendor. The company was founded in 2003 and provides software security products that identify and remove security vulnerabilities from software applications throughout the development, testing, and deployment cycles. . The survey has found that over 60% of companies that outsource the coding of their critical applications do not mandate that security must be built into the applications. In fact, the study has uncovered the chilling statistic that 20 percent of UK companies do not even consider security when building their applications--thus potentially leaving a great big stable door open to the hacking See hack and hacker. community. Yet outsourcing is very much on the up. The report which was carried out amongst 250 C level executives and IT Directors from mainly 1000+ employee sized corporations from the UK, US and Germany, reveals that outsourcing of code development is widespread--and growing in importance. From this study of the organisations stating that software code development is business critical or important to them, 50 percent outsource more than 40 percent of their code development needs. Statistics already show that the software application layer is where most hackers are accessing critical data. According to NIST (National Institute of Standards & Technology, Washington, DC, www.nist.gov) The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. It is one of three agencies that fall under the Technology Administration (www.technology. (National Institute of Standards and Technology National Institute of Standards and Technology, governmental agency within the U.S. Dept. of Commerce with the mission of "working with industry to develop and apply technology, measurements, and standards" in the national interest. ), 92 percent of vulnerabilities affecting computer networks are contained in software applications. As organisations increasingly look to outsource application development, more components of software applications are being developed outside of their direct control. An organisation that has not developed the code itself can never be absolutely certain that it is secure. However strong a relationship with a third-party developer  It has been suggested that First-party developer, Second-party developer be merged into this article or section. , or watertight the service-level agreements in
place, a rogue developer can place vulnerabilities in the code that they
develop--for example, by placing a backdoor See trapdoor. in software that can be used
to infiltrate infiltrate /in·fil·trate/ (in-fil´trat)1. to penetrate the interstices of a tissue or substance. 2. the material or solution so deposited. in·fil·trate v. 1. a network in the future. This is something TS Ameritrade found out to its cost when it was forced to disclose in 2007 that personal details personal details npl (on form etc) → coordonnées fpl personal details person npl → Personalien pl personal details regarding 6.3 million customers had been leaked through a vulnerability caused by a backdoor created by an outsourced programmer. Howard Schmidt, Member of Fortify Software Board of Directors and previously Cyber Security Advisor for the White House said: "These survey results help explain the recent, sudden rise in data breaches and should serve as a wake-up call to any executive whose company sits on a pile of mission-critical application code." In the report, financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. companies are identified as the most likely to outsource their code development needs and therefore could be putting themselves at serious risk, with 72 percent reporting that they outsource more than 40 percent. Disturbingly, 84 percent of these organisations report that code development is business critical or important. Public sector organisations are also big outsourcers, with 55 percent outsourcing over 40 percent of their code development. Also, 64 percent stating code development is only of moderate importance to them. At the other end of the scale are utility companies--the highest of all the industries to cite software development as business critical or important at 90%, however just 7 percent outsource more that 8 percent of code development. Fran Howarth, Principal Analyst at Quocirca and author of the report said: "The findings of this report indicate that not enough is being done by organisations to build security into the applications on which their businesses rely. Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organisations to thoroughly test all code generated for applications--without which they could be playing into the hands of hackers." The fact that software applications contain flaws that can be exploited by hackers is nothing new. That organisations are increasingly reliant on bespoke be·spoke v. Past tense and a past participle of bespeak. adj. 1. Custom-made. Said especially of clothes. 2. Making or selling custom-made clothes: a bespoke tailor. applications to maintain a competitive edge, and are outsourcing a significant proportion of the coding for these applications to third parties, is an alarming trend. That said, German organisations are better at building in security than both their UK and US counterparts. As electronic crime continues to increase, organisations are under pressure to be seen to be more proactive about IT security. This is not only something that makes common sense but also is increasingly a requirement being placed on organisations across a wide range of industries by governments and industry regulators. Fortify for·ti·fy v. for·ti·fied, for·ti·fy·ing, for·ti·fies v.tr. To make strong, as: a. To strengthen and secure (a position) with fortifications. b. To reinforce by adding material. , who are advocates of Business Software Assurance, a holistic approach holistic approach A term used in alternative health for a philosophical approach to health care, in which the entire Pt is evaluated and treated. See Alternative medicine, Holistic medicine. to protecting corporate digital assets at the most fundamental level, recommend that if a company outsource the development of critical applications, they should follow these guidelines: * Work with the outsourced vendor to fully understand what processes and procedures are in place to assure software security. * Review contract language and procurement procedures so outsourcers assume liability for software vulnerabilities * Make sure outsourcers are applying testing and assurance technologies on all code developed offsite. The information in the report is based on a survey of 250 IT directors, senior IT managers and C-level executives in Germany, the UK and the US. It was completed in December 2007 and January 2008. Those surveyed included organisations from 1,000 employees up to large multinationals within a wide range of industrial sectors. www.fortify.com/quocirca |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion