Businesses are not doing enough to ensure the security
of open source, outsourced code and commercial applications, a
study byForrester Consultinghas
found.
Of the 180 UK and US businesses surveyed, 62% had been hit by
security breaches that exploited software vulnerabilities in the
past year.
This will only get worse as organisations turn to open source
code and
outsourcing to cut costs, said Matt Moynahan, CEO of Veracode,
which commissioned the study.
More than half (57%) of the companies polled said they regularly
use outsourcing for business-critical applications, but only a
third carry out rigorous security testing.
But in-house and commercial code is also unlikely to have a high
level of built-in security, according to the survey, which was
released at
Infosecurity
Europe 2009 in London today.
More than half (57%) of the respondents, including some software
suppliers, said they do not have systematic training programmes for
developers on how to
code securely.
Only 34% said they have comprehensive software development
processes in place to ensure security in application
development.
The survey also found that only 13% of companies know the
security quality or risk profile of their business-critical
applications.
This shows that few organisations benchmark business-critical
applications against industry standards such as the
Sans Institute's top 25 code flaws, according to Moynahan.
"Most organisations would not be able to say whether their
application code is free of the 10 worst application security
vulnerabilities," he said.
Nearly two-thirds (64%) of the organisations polled said that
while application security is important, they are struggling to
meet the challenge on existing budgets.
"The survey shows the challenge is assessing code to find and
identify security vulnerabilities in a cost-effective way," said
Moynahan.
Since Veracode introduced a
cloud-based service to meet this need, Barclays Bank, Experian
and Delta Airlines are among the businesses that have signed
up.
"Cloud-based services make it possible for organisations to
implement a best practices programme [for ensuring secure
applications] without having all the security expertise," he
said.
Infosec 2009: an essential guide for IT professionals