|
Organizations today are increasingly reliant on business soft-ware for communicating and transacting with partners, customers and employees, nearly half of which is web-enabled to ease remote access. However, by opening up their networks in this fashion, these same organizations are being targeted by increasingly technologically-savvy criminals who are looking to sabotage networks or to gain access to sensitive data produced in those networks for financial gain.
Not only is reliance on software increasing, but also organizations are outsourcing some parts of their development activities to third parties. This presents them with challenges in assessing the security of third-party code. In addition, they are making greater use of next-generation programming technologies and techniques, many of which are likely to actually increase the chance of flaws being coded into software.
Organizations are also under pressure to comply with growing numbers of industry and government regulations, such as data protection, that have been put in place recently to counter these security issues. All too often, the preventative security measures that organizations implement focus on keeping the bad guys out at the perimeter of the network—rather than focusing on ensuring that their computer net-works are inherently secure. Too little emphasis is placed on ensuring that the software applications that run on those networks do not contain coding flaws that make them easy targets for attackers.
The aim of this report is to highlight the issues surrounding software application security and to look at the measures that organizations carrying out software application development take to ensure that those applications are secure. As background to this, interviews were conducted with persons responsible for, or who have active involvement in, developing software applications at 250 companies across Germany, the UK and the US (see Appendix A).
This report is intended to be read by those with responsibility for application development at organizations that rely on such developed code for running their businesses. It discusses recent trends in software application development and provides information about controls that organizations have in place regarding the software applications that they develop, and the benefits for those that get it right.
Increasing reliance on business software
It is now a fact that businesses rely on computer networks to run day-to-day communications with customers, partners and suppliers. This means that a great deal of information is produced and stored electronically, and many communications and transactions with business partners and customers are conducted electronically. This increasing reliance on computer networks means that the software applications that run on those networks become a mission-critical source of competitive advantage for many companies (Figure 1).
A key requirement for this to happen is that communications with external users are opened up in order to increase the speed with which business can be conducted, to drive down the costs of those communications and to increase profits. However, it also exposes organizations to greater security risks—especially where applications were not originally developed to be exposed over open networks and for which levels of security may not be strong.
It is also a fact that, where organizations see the competitive advantage to be gained from innovative software applications, their reliance on developing their own applications or modifying applications developed by third parties is growing (Figure 2).
However, the prevalence of patches and security updates for software applications indicates that many of the applications on which businesses rely are insecure. According to NIST (National Institute of Standards and Technology), 92% of vulnerabilities affecting computer networks are contained in software applications. As organizations increasingly look to outsource application development, more components of soft-ware applications are being developed outside of their direct control, although most will try to control the security applied to outsourced applications through service-level agreements.
This presents further challenges for organizations in control-ling the security of applications developed by third parties, and of ensuring that such software cannot be used to infiltrate their networks; for example through use of a backdoor in the software. This is something that TS Ameritrade found out to its cost when it was forced to disclose in summer 2007 that personal details regarding 6.3 million customers had been leaked through a vulnerability caused by a backdoor created by a programmer. At the same time, it terminated a contract with a third-party development organization. As Figure 3 shows, those organizations for which software development is business critical or important are the least likely to outsource this activity.
|
