Today, many organisations are increasingly reliant on software application development to deliver them competitive edge. Simultaneously, they are progressively opening up their computer networks to business partners, customers and suppliers and making use of next-generation programming languages and computing techniques to provide a richer experience for these users. However, hackers are refocusing their attention on the vulnerabilities and flaws contained in those applications. As this report shows, organisations that use the tools available for improving the security of the applications that they develop spend less on IT security overall and, as a result, are less vulnerable.
Outsourcing of code development is widespread. However, given the lack of visibility into coding practices, it is fundamentally insecure.
Of those organisations that admit to being frequently hacked, all outsource at least some software development, with almost 90% outsourcing more than 40%. Germans are the least likely to outsource, but 61% of US organisations outsource more than 40% of code development. Financial services firms are the highest outsourcers, but could be putting themselves at serious risk.
Exposure to Web 2.0 technologies—among the least understood, but considered to be among the most insecure technologies—is high, but many manage their use through policies alone.
Organisations are exposing their applications to new security threats through use of a SOA.
66% of respondents have adopted, or are in the process of adopting, a service-oriented architecture (SOA), although adoption is lowest in the UK at 50%. Adoption rises to 84% of German organisations, 71% of which are exposing existing applications as well—potentially leaving them more vulnerable to attack as some of these applications would originally have been intended for internal use only and therefore developed without concern for today’s security threats.
Data protection is the key driver behind application security for the vast majority.
82% of respondents cite compliance with data protection regulations as their priority, rising to 91% in the UK. Financial services organisations are the most concerned with protecting data through superior application security.
Using automated tools for building security into the software development lifecycle translates to lower overall spend on IT security.
Over 10% of UK respondents spend more than 15% of their IT budget on security—but are the least likely to use automated tools for application security. Conversely, 96% of German organisations spend less than 10% of their IT budgets on security and make the most use of automated tools for building security into applications during the early stages of the software development lifecycle. Yet most respondents
could do more to improve security—for example, only 25% of respondents use risk rating systems for testing code against known vulnerabilities.
CONCLUSION: The fact that software applications contain flaws that can be exploited by hackers is nothing new. That organisations are increasingly reliant on bespoke applications to maintain a competitive edge, and are outsourcing a significant proportion of the coding for these applications to third parties, is an alarming trend. The need to make business processes more efficient is leading them to expose more of their applications through the use of new programming techniques and technologies, some of which are known to introduce new vulnerabilities into applications, but which are not yet clearly understood. It is now more imperative than ever that organisations developing software applications use automated tools to ensure that security is built in at an early stage of the development lifecycle to significantly reduce the risks to which organisations are being exposed.