[Owasp-Mumbai] Why application security is crucial and what companies are doing about it

Dharmesh Mehta dharmeshmm at owasp.org
Fri May 2 00:38:37 EDT 2008

*Article from IT-Director.com*


*Today, many organisations are increasingly reliant on software application
development to deliver them competitive edge. Simultaneously, they are
progressively opening up their computer networks to business partners,
customers and suppliers and making use of next-generation programming
languages and com­puting techniques to provide a richer experience for these
users. However, hackers are refocusing their attention on the
vulnerabilities and flaws contained in those applications. As this report
shows, organisa­tions that use the tools available for improving the
security of the applications that they develop spend less on IT security
overall and, as a result, are less vulnerable.*

*Outsourcing of code development is widespread. However, given the lack of
visibility into coding practices, it is fundamentally insecure. *

   - Of those organisations that admit to being frequently hacked, all
   outsource at least some software development, with almost 90% outsourcing
   more than 40%. Germans are the least likely to outsource, but 61% of US
   organisations outsource more than 40% of code development. Financial
   services firms are the highest outsourcers, but could be putting themselves
   at serious risk.

*Exposure to Web 2.0 technologies-among the least understood, but considered
to be among the most insecure technologies-is high, but many manage their
use through policies alone. *

   - 58% of respondents are using Web 2.0 applications, including those
   that they develop in-house. 39% of these govern usage of these applications
   through policies alone and more than 10% place no restric­tions on their
   use. 45% of respondents make use of JavaScript/AJAX Web 2.0 programming
   tools, and up to 33% of respondents admit to being concerned about the
   vulnerabilities specific to Web 2.0 technologies.

*Organisations are exposing their applications to new security threats
through use of a SOA. *

   - 66% of respondents have adopted, or are in the process of adopting,
   a service-oriented architecture (SOA), although adoption is lowest in the UK
   at 50%. Adoption rises to 84% of German organisations, 71% of which are
   exposing existing applications as well-potentially leaving them more
   vulnerable to attack as some of these applications would originally have
   been intended for internal use only and therefore developed without concern
   for today's security threats.

*Data protection is the key driver behind application security for the vast

   - 82% of respondents cite compliance with data protection regulations
   as their priority, rising to 91% in the UK. Financial services organisations
   are the most concerned with protecting data through superior application

*Using automated tools for building security into the software development
lifecycle translates to lower overall spend on IT security. *

   - Over 10% of UK respondents spend more than 15% of their IT budget on
   security-but are the least likely to use automated tools for application
   security. Conversely, 96% of German organisations spend less than 10% of
   their IT budgets on security and make the most use of automated tools for
   building security into applications during the early stages of the software
   development lifecycle. Yet most re­spondents could do more to improve
   security-for example, only 25% of respondents use risk rating systems for
   testing code against known vulnerabilities.

*CONCLUSION:* The fact that software applications contain flaws that can be
exploited by hackers is nothing new. That organisations are increasingly
reliant on bespoke applications to maintain a competitive edge, and are
outsourcing a significant proportion of the coding for these applications to
third parties, is an alarming trend. The need to make business processes
more efficient is leading them to expose more of their applications through
the use of new programming techniques and technologies, some of which are
known to introduce new vulnerabilities into applications, but which are not
yet clearly understood. It is now more imperative than ever that
organisations developing software applications use automated tools to ensure
that security is built in at an early stage of the development lifecycle to
significantly reduce the risks to which organisations are being exposed.

*Thanks & Regards,*

*Dharmesh M Mehta** *| Technology Cell | Unit 183, SDF-6 SEEPZ, Mumbai,
India |
(O) +91-22-6695 2222 Ext: 1501 | (M) +91 98670 75327 | www.mastek.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20080502/ff23cf52/attachment-0001.html 

More information about the OWASP-Mumbai mailing list