Businesses are not doing enough to ensure the security of open source, outsourced code and commercial applications,...
a study by Forrester Consulting has found.
Of the 180 UK and US businesses surveyed, 62% had been hit by security breaches that exploited software vulnerabilities in the past year.
This will only get worse as organisations turn to open source code and outsourcing to cut costs, said Matt Moynahan, CEO of Veracode, which commissioned the study.
More than half (57%) of the companies polled said they regularly use outsourcing for business-critical applications, but only a third carry out rigorous security testing.
But in-house and commercial code is also unlikely to have a high level of built-in security, according to the survey, which was released at Infosecurity Europe 2009 in London today.
More than half (57%) of the respondents, including some software suppliers, said they do not have systematic training programmes for developers on how to code securely.
Only 34% said they have comprehensive software development processes in place to ensure security in application development.
The survey also found that only 13% of companies know the security quality or risk profile of their business-critical applications.
This shows that few organisations benchmark business-critical applications against industry standards such as the Sans Institute's top 25 code flaws, according to Moynahan.
"Most organisations would not be able to say whether their application code is free of the 10 worst application security vulnerabilities," he said.
Nearly two-thirds (64%) of the organisations polled said that while application security is important, they are struggling to meet the challenge on existing budgets.
"The survey shows the challenge is assessing code to find and identify security vulnerabilities in a cost-effective way," said Moynahan.
Since Veracode introduced a cloud-based service to meet this need, Barclays Bank, Experian and Delta Airlines are among the businesses that have signed up.
"Cloud-based services make it possible for organisations to implement a best practices programme [for ensuring secure applications] without having all the security expertise," he said.
Infosec 2009: an essential guide for IT professionals