Homegrown Software is Not Secure

Nearly one-third of critical infrastructure organizations have suffered a security breach of internally-developed software

Ask 100 security professionals to name a weak link in the cyber security chain, and a majority will point to software vulnerabilities. This is especially true in two areas: 1) Internally-developed software where developers may lack the skills or motivation to write secure code, and 2) Web applications where rapid development and functionality trump security concerns. How vulnerable are today's web apps? Here's how the IBM X-Force answered this question in its 2008 Trend and Risk Report: "Web applications in general have become the Achilles Heel of Corporate IT Security. Nearly 55% of vulnerability disclosures in 2008 affect web applications, and this number does not include custom-developed applications (only off-the-shelf packages). Seventy-four percent of all Web application vulnerabilities disclosed in 2008 had no available patch to fix them by the end of the year." ESG Research looked further into software security in its recently published report, "Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure" (note: this report is available for free download at the ESG website, www.enterprisestrategygroup.com). Security professionals working at critical infrastructure organizations were asked, "To the best of your knowledge, has your organization ever experienced a security incident directly related to the compromise of internally-developed software?" Alarmingly, 30% answered "yes." What does all this mean? IBM X-Force data clearly demonstrates an abundance of insecure web applications out in the market. ESG's data shows that many critical infrastructure organizations are not only writing insecure code but are also being compromised as a result of these vulnerabilities. Yikes! Insecure software is a problem that is too often swept under the rug because it isn't easily addressed with a tactical threat management tool Du Jour. Yes, software security requires new skills and processes but unless we make these changes we will continue to be vulnerable. If your lights go out sometime soon, insecure software may be to blame.

Copyright © 2011 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!