Software applications are the backbone of businesses today. A recent survey conducted by Quocirca, commissioned by Fortify Software, of 250 organisations in the US, the UK and Germany, found that developing or modifying software applications is business critical or very important to two-thirds of organisations. Not only that, but reliance on software development is increasing and bespoke application development is seen as a competitive differentiator for end-user organisations.
Not only are bespoke or modified software applications becoming more important, but they are increasingly being web-enabled over networks that are being opened up to access by employees, business partners, suppliers and customers. This increases productivity by allowing for greater collaboration and by speeding up the rate at which transactions can be performed.
But it is a double-edged sword. Many large enterprises have thousands of web-enabled applications running over their networks and their developers are under pressure to release new applications at an ever faster rate. The internet is also no longer the static marketing tool for organisations that characterised it during the 1990s. Dynamically changing content is the order of the day-and that means that applications are frequently updated, with extra functionality being added at a fast and furious pace.
Each of these applications may contain thousands, or even millions of lines of code, making it likely that at least some bugs have been incorporated along the way. Accepted levels are that there will be 0.5 significant errors per thousand lines of code, so a fairly small, 10,000 line application will have five significant errors within it-somewhere. Each of those errors could make the application vulnerable to attack and that is playing into the hands of hackers. Gone are the days of script kiddies; now a new breed of hacker has emerged that hunt for insecurely written code and vulnerabilities in software applications that will allow them to steal information contained in those applications. And, to an increasing extent, those attacks are specifically targeted-at an individual organisation or a certain individual.
The stakes are set to rise even higher as organisations turn to practices that could actually increase their risk of exposure even further for three reasons.
First, the survey showed that organisations are fast adopting service oriented architectures (SOA), with 66% of respondents having already adopted, or are in the process of adopting, a SOA. Among German respondents, that percentage rises to 84%, 71% of which are exposing legacy applications-potentially leaving them more vulnerable to attack as some of these applications would originally have been intended for internal use only and therefore developed without concern for today's security threats.
Second, organisations are also increasingly using next-generation Web 2.0 programming techniques and tools. The survey shows that 45% of respondents make use of JavaScript/AJAX programming tools in order to write applications that provide users with a much higher degree of interaction than traditional applications, and that enable dynamic, on-the-fly content to be produced. However, these new programming techniques actually increase the chance of applications containing vulnerabilities. For example, many Web 2.0 programming techniques make use of JavaScript as the data transport mechanism, which exposes more of the business logic of the applications such as access controls at the browser level, instead of at the server level, meaning that it is more exposed to users, and therefore to hackers. The problems involved are not yet widely understood, but a significant number of organisations report that they are encountering vulnerabilities that are specific to the new programming tools.
The third potentially insecure practice to which organisations are exposing themselves is that of trusting the development of their software applications to third parties. This requires that watertight service-level agreements be put in place to demand the highest standards of security be used in the development and testing of the software, and that the third parties can be held accountable for vulnerabilities that slip through the net. However, the survey does show that those organisations for which the importance of bespoke software development is increasing are least likely to outsource this activity, meaning that organisations do at least understand that outsourcing code development could be a less secure practice than keeping this in-house.
As well as these findings, the survey brings to light the fact that many organisations are not doing enough to actively build security into their applications at the design and development stages, nor are they making sufficient use of automated tools to test the security of the applications that they develop. It is well known that fixing security flaws is more expensive that ensuring that they do not exist in the first place. It is imperative that security be considered at all stages of the software development lifecycle to ensure that organisations allow as few vectors of attack against their networks to be left open as possible. In today's world, the penalties for sloppy security practices that lead to data leaking out of an organisation are high-and no one wants to be the subject of the next negative headline.
