Services -> Outsourcing
By: Bob Tarzey, Service Director, Quocirca
Published: 8th March 2012
Copyright Quocirca © 2012
A new Quocirca report underlines the scale of the application security challenge faced by businesses. The average enterprise tracks around 500 mission-critical applications; in financial services organisations it is closer to 800. The security challenge arises because more and more of these applications are web-enabled. Furthermore, businesses are increasingly relying on software provided as a service (SaaS) and apps that run on mobile devices, both of which are, by definition, web-enabled.
Businesses worry about application security for three reasons. First, security failures leave them vulnerable to hackers and malware; secondly, auditors expect application security to be demonstrable; and third, customers, with who they share business processes via applications, are also increasingly likely to seek security guarantees.
There are a number of approaches that can be taken to ensure better application security. For in-house developed software, best practices can be better ensured through training of developers. For commercially acquired software, due diligence during procurement is necessary, seeking assurances from independent software vendors (ISV). However, these measures can never ensure that software is 100% secure.
For this reason there are three other approaches which should be considered:
100% software security is never going to be guaranteed and many organisations use multiple approaches to maximise protection. However, interestingly, as one of the reasons for having demonstrable software security is to satisfy auditors, compliance bodies do not themselves mandate multiple approaches for compliance. For example the Payment Card Industry Security Standards Council (PCI-SSC) deems code scanning to be an acceptable alternative to a WAF.
For today’s businesses the use of software is not a choice; however the methods chosen to improve software security and, in turn, the costs involved and the benefits achieved are. Using the right mix of approaches at all stages of the software development, procurement and deployment life cycle will improve the efficiency, reliability, security, compliance and competitiveness of business processes.
Quocirca’s report “Outsourcing the problem of software security” is freely available here:
From Quocirca there will also be an online webinar, a recording of which will be available from March 16th 2012 here:
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: electronicdawn Ltd.