In a new report released by European information technology analysis group, Quocirca, organisations that admitted to being frequently hacked, all outsource at least some of their coding practice, with 90 per cent outsourcing more than 40 per cent!

With this in mind the hackers future looks rosy as outsourcing applications is on the up, with 78 per cent of organisations that say software development is business critical for them choosing to outsource their vital applications. But security is being left out in the cold, companies failing to build security in when they outsource the development of their critical applications, according to a report released by Quocirca and supported by Fortify Software.

The survey has found that over 60 per cent of companies that outsource the coding of their critical applications do not mandate that security must be built into the applications. In fact, the study has uncovered the chilling statistic that 20 per cent of UK companies do not even consider security when building their applicationsthus potentially leaving a great big stable door open to the hacking community. Yet outsourcing is very much on the up.

The report, which was carried out amongst 250 C level executives and IT Directors from mainly 1000 employee sized corporations from the UK, US and Germany, reveals that outsourcing of code development is widespread and growing in importance. From this study of the organisations stating that software code development is business critical or important to them, 50 per cent outsource more than 40 per cent of their code development needs.

Statistics already show that the software application layer is where most hackers are accessing critical data. According to NIST (National Institute of Standards and Technology), 92 per cent of vulnerabilities affecting computer networks are contained in software applications. As organisations increasingly look to outsource application development, more components of software applications are being developed outside of their direct control.

An organisation that has not developed the code itself can never be absolutely certain that it is secure. However strong a relationship with a third-party developer, or watertight the service-level agreements in place, a rogue developer can place vulnerabilities in the code that they developfor example, by placing a backdoor in software that can be used to infiltrate a network in the future. This is something TS Ameritrade found out to its cost when it was forced to disclose in 2007 that personal details regarding 6.3 million customers had been leaked through a vulnerability caused by a backdoor created by an outsourced programmer.

In the report, financial services companies are identified as the most likely to outsource their code development needs and therefore could be putting themselves at serious risk, with 72 per cent reporting that they outsource more than 40 per cent. Disturbingly, 84 per cent of these organisations report that code development is business critical or important.

Public sector organisations are also big outsourcers, with 55 per cent outsourcing over 40 per cent of their code development. Also, 64 per cent stating code development is only of moderate importance to them.

At the other end of the scale are utility companies the highest of all the industries to cite software development as business critical or important at 90 per cent, however just 7 per cent outsource more that 8 per cent of code development.

The fact that software applications contain flaws that can be exploited by hackers is nothing new. That organisations are increasingly reliant on bespoke applications to maintain a competitive edge, and are outsourcing a significant proportion of the coding for these applications to third parties, is an alarming trend. That said, German organisations are better at building in security than both their UK and US counterparts. As electronic crime continues to increase, organisations are under pressure to be seen to be more proactive about IT security. This is not only something that makes common sense but also is increasingly a requirement being placed on organisations across a wide range of industries by governments and industry regulators.

Fortify, who are advocates of Business Software Assurance, a holistic approach to protecting corporate digital assets at the most fundamental level, recommend that if a company outsource the development of critical applications, they should follow these guidelines:

• work with the outsourced vendor to fully understand what processes and procedures are in place to assure software security
  
• review contract language and procurement procedures so outsourcers assume liability for software vulnerabilities
  
• make sure outsourcers are applying testing and assurance technologies on all code developed offsite.

Other key findings in this study are:

• exposure to Web 2.0 technologies among the least understood, but considered to be among the most insecure technologies is high, but many manage their use through policies alone
  
• organisations are exposing their applications to new security threats through use of Service Oriented Architectures (SOA)
  
• data protection is the key driver behind application security for the vast majority
  
• using automated tools for building security into the software development lifecycle translates to lower overall spend on IT security

The information in the report is based on a survey of 250 IT directors, senior IT managers and C-level executives in Germany, the UK and the US. It was completed in December 2007 and January 2008. Those surveyed included organisations from 1,000 employees up to large multinationals within a wide range of industrial sectors.

[This is an area occasionally touched on in ISB and one of the several areas showing little progress in terms of understanding. The fact is that it is very difficult to outsource risk en bloc and also only possible to outsource liability to a limited extent.

As a first principle outsourcing, from the decision itself and onwards, should be solidly founded in a risk management process, preferably based on a formal and comprehensive corporate security architecture method like SABSA. If this is intelligently done the risk analysis will revel a number of issues to be addressed, including normally:

• the magnitude of any residual risk which can't be covered my policies and procedures, and needs to be insured against or accepted
  
• that, in order to minimise this risk, risk-based software development needs to be used throughout the development process. This is particularly true if web 2 technologies are included. Risk-based software development is a comparatively new technology and few development companies can be expected to master it or even use it consequently - however, it is extremely important to do so, especially if the software is very dynamic
  
• that, again to minimise the residual risk, the outsourcing organisation needs to build internal expertise and procedures aimed at detecting (potential) security breaches in the developing company's procedures and well as in any software delivered.

Outsourcing is a valid method but it needs to be encapsulated in a risk management system. --Ed].

Related links: (Open in a new window.)
www.fortify.com/quocirca>www.fortify.com/quocirca
www.nkv5.com/fortifysoftware/survey/2008_01_survey.php

View printable version (opens in new window)
Back