Is Outsourcing a Security Risk?April 12, 2008 – 1:10 PM
The world has a new culprit to blame for the rising tide of software vulnerabilities — code outsourcing.
The trend to outsource the coding of applications is now a major contributor to making business software more vulnerable, a survey-cum-report has claimed.
According to analyst group Quocirca, which surveyed 250 IT directors and executives in the U.S., the U.K. and Germany for Fortify Software, ninety percent of the organizations that admitted to having been ‘hacked’ had outsourced more than 40 percent of their applications to third parties.
But the rush to benefit from the speed, convenience and lower cost of outsourced applications was leaving security as an afterthought in an alarming number of cases. Sixty percent of respondents reported not mandating security from scratch, while 20 percent of those surveyed in the U.K. failed to accommodate security at all in the outsourced applications.
So what’s behind this risky attitude? The report mainly blames the way companies have become enamored with relatively poorly-understood Web 2.0 technologies, and the parallel rush to use service-oriented architectures (SOA) to open up software to much-loved partners.
As to outsourcing itself, according to Fortify, the problem here is that the client company has no visibility on the coding behavior of the company carrying out the work, no matter how good the relationship appears to be.
As in other areas of technology, U.S. organizations have been at the forefront of the software outsourcing movement, with 61 percent of those surveyed reporting that they outsourced more than 40 percent of their programming. Germany, by contrast was some way behind this percentage, with the U.K. somewhere between the two extremes, thanks to its financial services bias. The U.K.’s uptake of Web 2.0 is also closer to the U.S.’ than Germany’s, which is to say that it has been significant.
“These survey results help explain the recent, sudden rise in data breaches and should serve as a wake-up call to any executive whose company sits on a pile of mission-critical application code,” said Fortify board member and former White House cybersecurity advisor Howard Schmidt.
At least companies can attempt to protect themselves against the specific threat posed by lazy programming using backdoor detection systems, a growing category of software. As ever companies find themselves solving software security problems by buying yet more software.
Source: PC World