Is outsourcing your evil twin?
By Davey Winder in Editorial
Posted in Data Protection, Blog on
I love the run-up to the annual InfoSecurity Europe show, not least because it means I am assured of numerous press releases with the most wonderfully eye-grabbing headlines from exhibitors wanting to attract my attention and my time while visiting the show. One such release arrived in my inbox today, proclaiming that if you ‘Outsource your code’ then you are ‘more likely to be hacked.’
Naturally, I read on. The gist of the email being that according to a report released today by IT analysis group Quocirca, some the majority of companies manage to overlook the basic task of mandating security when they enter into an outsourcing agreement.
In fact, the report reveals that of the organisations that admitted to being frequently hacked, all outsource at least some of their coding practice, with 90 percent outsourcing more than 40 percent! The survey at the basis of the report discovered that more than 60% of companies which enter into the outsourcing of critical applications coding just do not bother to mandate that security must be built into the applications at all. This should actually come as little surprise if you ask me, especially if you delve deeper into the report and discover that 20 percent of UK companies don’t consider security when building their applications at all.
Heck, statistics abound which show that the software application layer is like a banana to a monkey as far as hackers are concerned when it comes to accessing critical data. The National Institute of Standards and Technology (NIST) reckons that 92 percent of vulnerabilities affecting computer networks are contained in software applications. Do the math and this whole issue starts to become really rather important, does it not?
I am not sure that I agree with the implication of the statement in the press release that says “an organisation that has not developed the code itself can never be absolutely certain that it is secure” which would seem to suggest that outsourcing per se is the evil twin in this software sibling scenario. The truth is that even if you develop the code yourself from the bottom to the top you can never be 100 percent certain that it is secure, at least not for 100 percent of the time. New exploits can make previously considered secure code vulnerable, after all. This is kind of admitted in the release when it insists ” However strong a relationship with a third-party developer, or watertight the service-level agreements in place, a rogue developer can place vulnerabilities in the code that they develop-for example, by placing a backdoor in software that can be used to infiltrate a network in the future.” Yup, as could a rogue in-house developer of course.
The report was supported by Fortify Software whose Director, and former Cyber Security Advisor for the White House, Howard Schmidt comments “These survey results help explain the recent, sudden rise in data breaches and should serve as a wake-up call to any executive whose company sits on a pile of mission-critical application code.” Again, I am not so sure I agree. The results suggest to me something that I already know, and would hope that those executives sitting on mission-critical application code would also already know, and that is that security is pretty darn important throughout the application lifecycle.
Fran Howarth, Principal Analyst at Quocirca and author of the report adds: “The findings of this report indicate that not enough is being done by organisations to build security into the applications on which their businesses rely. Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organisations to thoroughly test all code generated for applications-without which they could be playing into the hands of hackers.”
Now that I can agree with 100 percent.
Rated: 100% (1 votes)
Loading ...Comment by Matt Moynahan - April 8, 2008 on 7:51 am
Davey, you hit the nail squarely on the head! Yes, offshore code development is a security risk - and it has been impossible up till now to test effectively the code coming in from developers in India, Russia etc. The bottom line is you need to take a holistic approach to application security testing….There are services coming on the market now which can test the entire code base independently and give measured feedback against accepted industry standards. Using these and making application security testing mandatory is the way forward.
Make a comment
Tag cloud
Archives
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
Most commented posts
- Cuil frozen out: market share drops to next to nothing
20 comments
- Windows XP: the invincible OS
- Gatecrashing the WiFi hotspot party
- The 24 year old software that is still going strong
- Home workers are sick
- Big Brother Apple
- Spear phishing Catch 22 for Salesforce.com
- Dumbest phisher in history revealed
- Is BT misleading consumers with Option 2 broadband?
- Why ecommerce fails
Highest Rated Blog Posts
- Why ecommerce fails (100%)
- Betting on Hubdub technology (100%)
- Chinese whispers as government implicated in UK hack attacks (100%)
- Crimeware toolkit targets 10,000 trusted sites (100%)
- Black Hat risk to migrating VMs (100%)
- Tough on cyber crime, tough on the causes of cyber crime (100%)
- Firefox 3, Beta 4, Enhancements 900, Tested 5 (100%)
- Slowly slowly catchee Government IT monkey (100%)
- Who needs another set of web standards? (100%)
- The 6.5 billion quid hello (100%)