Infosec 2009: Poor application security causes 62% of data breaches, study finds

Businesses are not doing enough to ensure the security of open source, outsourced code and commercial applications, a study by Forrester Consulting has found.

Businesses are not doing enough to ensure the security of open source, outsourced code and commercial applications, a study by Forrester Consulting has found.

Of the 180 UK and US businesses surveyed, 62% had been hit by security breaches that exploited software vulnerabilities in the past year.

This will only get worse as organisations turn to open source code and outsourcing to cut costs, said Matt Moynahan, CEO of Veracode, which commissioned the study.

More than half (57%) of the companies polled said they regularly use outsourcing for business-critical applications, but only a third carry out rigorous security testing.

But in-house and commercial code is also unlikely to have a high level of built-in security, according to the survey, which was released at Infosecurity Europe 2009 in London today.

More than half (57%) of the respondents, including some software suppliers, said they do not have systematic training programmes for developers on how to code securely.

Only 34% said they have comprehensive software development processes in place to ensure security in application development.

The survey also found that only 13% of companies know the security quality or risk profile of their business-critical applications.

This shows that few organisations benchmark business-critical applications against industry standards such as the Sans Institute's top 25 code flaws, according to Moynahan.

"Most organisations would not be able to say whether their application code is free of the 10 worst application security vulnerabilities," he said.

Nearly two-thirds (64%) of the organisations polled said that while application security is important, they are struggling to meet the challenge on existing budgets.

"The survey shows the challenge is assessing code to find and identify security vulnerabilities in a cost-effective way," said Moynahan.

Since Veracode introduced a cloud-based service to meet this need, Barclays Bank, Experian and Delta Airlines are among the businesses that have signed up.

"Cloud-based services make it possible for organisations to implement a best practices programme [for ensuring secure applications] without having all the security expertise," he said.

Infosec 2009: an essential guide for IT professionals



Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.




  • Passive Python Network Mapping

    In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against ...

  • Protecting Patient Information

    In this excerpt from chapter two of Protecting Patient Information, author Paul Cerrato discusses the consequences of data ...

  • Mobile Security and Privacy

    In this excerpt from chapter 11 of Mobile Security and Privacy, authors Raymond Choo and Man Ho Au discuss privacy and anonymity ...