"Finance companies are putting themselves at serious risk," said Fran Howarth, principal analyst at research company Quocirca, who carried out the study. She said that by failing to specify in clear detail what was expected from applications, financial services companies were more likely to get applications that were insecure and unfit for their purpose.
By contrast, the retail and public sectors achieved a much higher proportion of successful projects, said Howarth, mainly because they had more experience of the process and had learned how to write proper contracts.
"The importance of getting the contract right cannot be stressed enough," said Howarth. "Organisations with the most experience stipulate the most stringent functional and security requirements in the outsourcing contract."
The best companies also go through stringent testing of code once they receive it from the outsourcers. Among the leaders in the retail and public sectors, 62.5 per cent do automated code scanning, compared with just 32.5 per cent in the finance sector. And while 82.5 per cent of retailers test for cross-site scripting, one of the most common code vulnerabilities, this is done at only 40 per cent of financial services companies.
The research was sponsored by Ounce Labs Inc., which specialises in code checking. The founder and CTO of the software risk analysis company, Jack Danahy, said: "A lot of companies don't understand the problem well enough, so they end up having a fist-fight with the outsourcing company when a vulnerability is found."
Danahy also rejected any notion that the problem was worse for companies having applications developed offshore, saying specifications and contracts need to be watertight, wherever the outsourcer is based, and need to go into specific detail. "For instance, if you don't ever want the CVC code on a credit card to be stored, you have to put it in the contract," he said.
Danahy added that Ounce has produced boilerplate contracts that companies can download from its website, and tailor to their needs.
Howarth, of Quocirca, also warned that the growing trend towards cloud computing and software as a service will require the same standard of care when drawing up service contracts. "Some companies fail to realise that cloud computing and SaaS are forms of outsourcing, too," she said.
That means specifying who has access to your data – which only 47.5 per cent of finance companies do, compared with 70 per cent in the public sector – and demanding some level of recognised certification. While 82.5 per cent of public and retail sector organisations demand certification, only 37.5 per cent of financial sector firms think to ask for it.
Both Howarth and Dalahy emphasised the need for companies to test applications in their own environments. "Testing typically accounts for a third of the cost of development, and you should expect the outsourcer to carry out the bulk of it," said Howarth. "But you always need to check it yourself as well, especially as you need to see how it operates in the production environment and connects to other systems."
The full report 'Winning Outsourcing Strategies' is available for download at www.quocirca.com.