Outsourcing blamed for rising security woes

Outsourcing blamed for rising security woes

We're not paying for that security hole, are we?

Article comments

The trend to outsource the coding of applications is now a major contributor to making business software more vulnerable, a survey-cum-report has claimed.

According to analyst group Quocirca, which surveyed 250 IT directors and executives in the US, the UK and Germany for Fortify Software, 90 percent of the organisations that admitted to having been ‘hacked’ had outcourced more than 40 percent of their applications to third parties.

But the rush to benefit from the speed, convenience and lower cost of outsourced applications was leaving security as an afterthought in an alarming number of cases. Sixty percent of respondents reported not mandating security from scratch, while 20 percent of those surveyed in the UK failed to accommodate security at all in the outsourced applications.

So what’s behind this risky attitude? The report mainly blames the way companies have become enamoured with relatively poorly-understood Web 2.0 technologies, and the parallel rush to use service-oriented architectures (SOA) to open up software to much-loved partners.

As to outsourcing itself, according to Fortify, the problem here is that the client company has no visibility on the coding behaviour of the company carrying out the work, no matter how good the relationship appears to be.

As in other areas of technology, US organisations have been at the forefront of the software outsourcing movement, with 61 percent of those surveyed reporting that they outsourced more than 40 percent of their programming. Germany, by contrast was some way behind this percentage, with the UK somewhere between the two extremes, thanks to its financial services bias. The UK’s uptake of Web 2.0 is also closer to the US’s than Germany’s, which is to say that it has been significant.

“These survey results help explain the recent, sudden rise in data breaches and should serve as a wake-up call to any executive whose company sits on a pile of mission-critical application code,” said Fortify board member and former White House cyber-security advisor Howard Schmidt.

At least companies can attempt to protect themselves against the specific threat posed by lazy programming using backdoor detection systems, a growing category of software. As ever companies find themselves solving software security problems by buying yet more software.


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
* *