Although outsourcing application
development is growing in popularity, a widespread ignorance of key
issues could compromise enterprise security.
Many companies that outsource
applications do not specify what checks should be made on the finished product's security,
according to a new report released at RSA Europe.
Additionally, the
report uncovered serious flaws in outsourcing practices in certain
sectors.
Fran Howath, principal security analyst at Quocirca said: “The
most experienced outsourcers aren't having problems, but those doing
ad-hoc outsourcing are having real issues – 30 per cent of projects
undertaken by finance firms have led to legal action being taken.
It's absolutely critical that the outsourcing contract is carefully
thought out and absolutely watertight. Without this, businesses are
going to get hit, badly.”
The report, 'Winning Outsourcing Strategies' found that in retail
and public sectors, 62.5 per cent check delivered code with automated
code scanners, compared to just 32.5 per cent of finance firms, which
outsource the least of all. In addition, just 40 per cent of finance
firms test their applications for the most common
vulnerability—cross-site scripting—compared to 82.5 per cent of
retailers.
Jack Danahy,
founder and CTO Ounce Labs said: “We are seeing a real confluence
here, as more applications are outsourced, hackers are attacking
applications more, and business are outsourcing services without
fully considering the security implications – this is a huge
issue and needs addressing urgently.”