Out-Law / Your Daily Need-To-Know
Out-Law News 1 min. read
Outsourced software has weaker security, claims research
08 Apr 2008, 12:10 pm
All of the companies who admitted to being frequently hacked in a just-published survey outsourced some of their software development, while 60% of companies that outsource do not ask for security to be built in to the technology.
The survey, carried out on behalf of security software company Fortify, found a correlation between hacking incidents and the outsourcing of software development.
"Outsourcing of code development is widespread. However, given the lack of visibility into coding practices, it is fundamentally insecure," said the report by research firm Quocirca.
The research found that large organisations are increasingly relying on custom-made software to give their businesses a competitive edge, but that that process introduces security weaknesses into their companies.
"That organisations are increasingly reliant on bespoke applications to maintain a competitive edge, and are outsourcing a significant proportion of the coding for these applications to third parties, is an alarming trend," said the report. "The need to make business processes more efficient is leading them to expose more of their applications through the use of new programming techniques and technologies, some of which are known to introduce new vulnerabilities into applications, but which are not yet clearly understood."
"These survey results help explain the recent, sudden rise in data breaches and should serve as a wake-up call to any executive whose company sits on a pile of mission-critical application code," said Howard Schmidt, a director of Fortify.
Financial services companies were found by the survey to be the most likely to outsource their software development. In that sector 72% of surveyed companies said they outsource more than 40% of their software development.
These companies are up against a new type of hacker, the survey said. "Hackers are becoming more sophisticated, no longer looking to launch widespread attacks for notoriety – instead they are launching stealth attacks against specific targets for financial gain," it said.
"New types of attack are becoming more common that target areas where defences are the weakest - the software applications that run on computer networks. New types of hackers are emerging that look for insecurely written code and hunt for vulnerabilities in software applications that will allow them to steal information generated by those applications."
The survey found that 60% of companies that outsource the writing of software do not mandate that security be built into the application itself. It found that 20% of UK companies that outsource coding do not even think about security when ordering their software.
According to Fortify the issue will only grown in importance as more and more companies outsource the development of software.
"This creates an even greater onus for organisations to thoroughly test all code generated for applications, without which they could be playing into the hands of hackers," said Fran Howarth, principal analyst at Quocirca.
