Many companies that outsource applications do not specify what checks should be made on the finished product's security, according to a new report released at RSA Europe.
Additionally, the report uncovered serious flaws in outsourcing practices in certain sectors. Fran Howath, principal security analyst at Quocirca said: “The most experienced outsourcers aren't having problems, but those doing ad-hoc outsourcing are having real issues – 30 per cent of projects undertaken by finance firms have led to legal action being taken. It's absolutely critical that the outsourcing contract is carefully thought out and absolutely watertight. Without this, businesses are going to get hit, badly.”
The report, 'Winning Outsourcing Strategies' found that in retail and public sectors, 62.5 per cent check delivered code with automated code scanners, compared to just 32.5 per cent of finance firms, which outsource the least of all. In addition, just 40 per cent of finance firms test their applications for the most common vulnerability—cross-site scripting—compared to 82.5 per cent of retailers.
Jack Danahy, founder and CTO Ounce Labs said: “We are seeing a real confluence here, as more applications are outsourced, hackers are attacking applications more, and business are outsourcing services without fully considering the security implications – this is a huge issue and needs addressing urgently.”