Today, many organizations are increasingly reliant on software application development to deliver them competitive edge. Simultaneously, they are progressively opening up their computer networks to business partners, customers and suppliers and making use of next-generation programming languages and computing techniques to provide a richer experience for these users. However, hackers are refocusing their attention on the vulnerabilities and flaws contained in those applications.
QUOCIRCA INSIGHT REPORT March 2008
Why application security is crucial.and what companies are doing about itToday, many organisations are increasingly reliant on software application development to deliver them Contacts: competitive edge. Simultaneously, they are progressively opening up their computer networks to business partners, customers and suppliers and making use of next-generation programming languages and com-Fran Howarth puting techniques to provide a richer experience for these users. However, hackers are refocusing their Quocirca Ltd attention on the vulnerabilities and flaws contained in those applications. As this report shows, organisa-Tel +31 35 691 1133 tions that use the tools available for improving the security of the applications that they develop spend less fran.howarth@quocirca.com on IT security overall and, as a result, are less vulnerable.
Clive Longbottom . Outsourcing of code development is widespread. However, given the lack of visibility into coding Quocirca Ltd practices, it is fundamentally insecure. Tel +44 118 945 3360 Of those organisations that admit to being frequently hacked, all outsource at least some software development, with almost 90% outsourcing more than 40%. Germans are the least likely to outsource, clive.longbottom@quocirca.com but 61% of US organisations outsource more than 40% of code development. Financial services firms are the highest outsourcers, but could be putting themselves at serious risk. . Exposure to Web 2.0 technologies-among the least understood, but considered to be among the most insecure technologies-is high, but many manage their use through policies alone. 58% of respondents are using Web 2.0 applications, including those that they develop in-house. 39% of these govern usage of these applications through policies alone and more than 10% place no restric-tions on their use. 45% of respondents make use of JavaScript/AJAX Web 2.0 programming tools, and up to 33% of respondents admit to being concerned about the vulnerabilities specific to Web 2.0 technologies. . Organisations are exposing their applications to new security threats through use of a SOA. 66% of respondents have adopted, or are in the process of adopting, a service-oriented architecture (SOA), although adoption is lowest in the UK at 50%. Adoption rises to 84% of German organisations, 71% of which are exposing existing applications as well-potentially leaving them more vulnerable to attack as some of these applications would originally have been intended for internal use only and therefore developed without concern for today's security threats.
Research Note: . Data protection is the key driver behind application security for the vast majority. 82% of respondents cite compliance with data protection regulations as their priority, rising to 91% in The information presented the UK. Financial services organisations are the most concerned with protecting data through superior in this report is based on a application security.survey of 250 IT directors, senior IT managers and . Using automated tools for building security into the software development lifecycle translates to C-level executives in lower overall spend on IT security. Germany, the UK and the Over 10% of UK respondents spend more than 15% of their IT budget on security-but are the least US. It was completed in likely to use automated tools for application security. Conversely, 96% of German organisations spend December 2007 and January less than 10% of their IT budgets on security and make the most use of automated tools for building 2008. Those surveyed security into applications during the early stages of the software development lifecycle. Yet most re-included organisations from spondents could do more to improve security-for example, only 25% of respondents use risk rating 1,000 employees up to large systems for testing code against known vulnerabilities. multinationals within a wide range of industrial sectors. CONCLUSION: The fact that software applications contain flaws that can be exploited by hackers is nothing new. That organisations are increasingly reliant on bespoke applications to maintain a competitive Quocirca would like to thank edge, and are outsourcing a significant proportion of the coding for these applications to third parties, is all the respondents to the an alarming trend. The need to make business processes more efficient is leading them to expose more of survey f... [download for more]
