The
survey, carried out on behalf of security software company Fortify,
found a correlation between hacking incidents and the outsourcing
of software development.
"Outsourcing of code development is widespread. However, given
the lack of visibility into coding practices, it is fundamentally
insecure," said the report by research firm Quocirca.
The research found that large organisations are increasingly
relying on custom-made software to give their businesses a
competitive edge, but that that process introduces security
weaknesses into their companies.
"That organisations are increasingly reliant on bespoke
applications to maintain a competitive edge, and are outsourcing a
significant proportion of the coding for these applications to
third parties, is an alarming trend," said the report. "The need to
make business processes more efficient is leading them to expose
more of their applications through the use of new programming
techniques and technologies, some of which are known to introduce
new vulnerabilities into applications, but which are not yet
clearly understood."
"These survey results help explain the recent, sudden rise in
data breaches and should serve as a wake-up call to any executive
whose company sits on a pile of mission-critical application code,"
said Howard Schmidt, a director of Fortify.
Financial services companies were found by the survey to be the
most likely to outsource their software development. In that sector
72% of surveyed companies said they outsource more than 40% of
their software development.
These companies are up against a new type of hacker, the survey
said. "Hackers are becoming more sophisticated, no longer looking
to launch widespread attacks for notoriety – instead they are
launching stealth attacks against specific targets for financial
gain," it said.
"New types of attack are becoming more common that target areas
where defences are the weakest - the software applications that run
on computer networks. New types of hackers are emerging that look
for insecurely written code and hunt for vulnerabilities in
software applications that will allow them to steal information
generated by those applications."
The survey found that 60% of companies that outsource the
writing of software do not mandate that security be built into the
application itself. It found that 20% of UK companies that
outsource coding do not even think about security when ordering
their software.
According to Fortify the issue will only grown in importance as
more and more companies outsource the development of software.
"This creates an even greater onus for organisations to
thoroughly test all code generated for applications, without which
they could be playing into the hands of hackers," said Fran
Howarth, principal analyst at Quocirca.
