The Perils of Outsourcing Code
A new report has highlighted the dangers of organizations outsourcing the coding of their critical applications, yet failing to mandate that security must be built into these applications.
The report, produced by the European information technology analysis group Quocirca, is based on a survey of 250 IT directors, senior IT managers and C-level executives in Germany, the UK and the US. Of those organizations that admitted to being frequently hacked, all of them outsourced at least some of their coding practice, with nine out of ten organizations outsourcing more than 40%.
The potential problem lies in the fact that most hackers are accessing critical data via the software application layer. According to NIST (the National Institute of Standards and Technology), 92% of vulnerabilities affecting computer networks are contained in software applications. As organizations increasingly look to outsource application development, more components of software applications are being developed outside of their direct control.
An organization that has not developed the code itself can never be absolutely certain that it is secure. However strong a relationship with a third-party developer, or watertight the service-level agreements in place, a rogue developer can place vulnerabilities in the code that they develop β for example, by placing a backdoor in software that can be used to infiltrate a network in the future.
Fran Howarth, Principal Analyst at Quocirca and author of the report, commented: βThe findings of this report indicate that not enough is being done by organizations to build security into the applications on which their businesses rely. Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organizations to thoroughly test all code generated for applications β without which they could be playing into the hands of hackers.β