Software design shortcuts can create costly security errors

Businesses are leaving themselves exposed to expensive security errors because they are failing to put enough time and effort...

Businesses are leaving themselves exposed to expensive security errors because they are failing to put enough time and effort into designing their software.

An analysis of 45 software applications created by major financial companies with over $3.5bn (£2.2bn) in turnover, shows that nearly half contain serious defects that could have been easily fixed had they been spotted during the design phase.

The research, from security company @Stake, suggests that many companies are skimping the initial stages of software development, only to face higher costs when they correct mistakes after implementation.

The most common error was the failure to properly secure access and employee authentication to their critical systems, the research, based on an analysis of penetration test results, shows.

Two-thirds of the packages allowed hackers to by-pass access controls and a quarter allowed unencrypted passwords to travel on the company network.

Many applications failed to properly check the validity of data input, leaving them wide open to attack. About 70% were at risk from hackers who could potentially gain access to machines by submitting Web forms containing embedded code, rather than the text responses the packages were expecting.

A third of the applications failed to encrypt user session keys, making them potentially vulnerable to hackers who could use stolen session keys to access systems without passwords.

The research shows that those packages which had adequate access and authentication controls had an 88% lower business risk than those that had not. Those packages with proper data checking in place had a 77% lower business risk, and those that used end-to-end encryption on user sessions reduced their business risks by 90%.

According to @Stake, the cost of repairing security errors at the design stage is a hundredth of the cost of making repairs once the software is in service.

Read more on IT risk management

SearchCIO
SearchSecurity
SearchNetworking
SearchDataCenter
SearchDataManagement
Close