Anda di halaman 1dari 3


IT Analysis – The changing face of application security
By Fran Howarth, Principal Analyst, Quocirca Ltd

hunt for insecurely written code and

Software applications are the backbone of vulnerabilities in software applications that will
businesses today. A recent survey conducted by allow them to steal information contained in
Quocirca, commissioned by Fortify Software, of those applications. And, to an increasing extent,
250 organisations in the US, the UK and those attacks are specifically targeted—at an
Germany, found that developing or modifying individual organisation or a certain individual.
software applications is business critical or very
important to two-thirds of organisations. Not The stakes are set to rise even higher as
only that, but reliance on software development organisations turn to practices that could
is increasing and bespoke application actually increase their risk of exposure even
development is seen as a competitive further for three reasons.
differentiator for end-user organisations.
First, the survey showed that organisations are
Not only are bespoke or modified software fast adopting service oriented architectures
applications becoming more important, but they (SOA), with 66% of respondents having already
are increasingly being web-enabled over adopted, or are in the process of adopting, a
networks that are being opened up to access by SOA. Among German respondents, that
employees, business partners, suppliers and percentage rises to 84%, 71% of which are
customers. This increases productivity by exposing legacy applications—potentially leaving
allowing for greater collaboration and by them more vulnerable to attack as some of these
speeding up the rate at which transactions can applications would originally have been intended
be performed. for internal use only and therefore developed
without concern for today's security threats.
But it is a double-edged sword. Many large
enterprises have thousands of web-enabled Second, organisations are also increasingly using
applications running over their networks and next-generation Web 2.0 programming
their developers are under pressure to release techniques and tools. The survey shows that
new applications at an ever faster rate. The 45% of respondents make use of
internet is also no longer the static marketing JavaScript/AJAX programming tools in order to
tool for organisations that characterised it during write applications that provide users with a much
the 1990s. Dynamically changing content is the higher degree of interaction than traditional
order of the day—and that means that applications, and that enable dynamic, on-the-fly
applications are frequently updated, with extra content to be produced. However, these new
functionality being added at a fast and furious programming techniques actually increase the
pace. chance of applications containing vulnerabilities.
For example, many Web 2.0 programming
Each of these applications may contain techniques make use of JavaScript as the data
thousands, or even millions of lines of code, transport mechanism, which exposes more of the
making it likely that at least some bugs have business logic of the applications such as access
been incorporated along the way. Accepted controls at the browser level, instead of at the
levels are that there will be 0.5 significant errors server level, meaning that it is more exposed to
per thousand lines of code, so a fairly small, users, and therefore to hackers. The problems
10,000 line application will have five significant involved are not yet widely understood, but a
errors within it—somewhere. Each of those significant number of organisations report that
errors could make the application vulnerable to they are encountering vulnerabilities that are
attack and that is playing into the hands of specific to the new programming tools.
hackers. Gone are the days of script kiddies;
now a new breed of hacker has emerged that

© 2008 Quocirca Ltd +44 118 948 3360

The third potentially insecure practice to which
organisations are exposing themselves is that of
trusting the development of their software
applications to third parties. This requires that
watertight service-level agreements be put in
place to demand the highest standards of
security be used in the development and testing
of the software, and that the third parties can be
held accountable for vulnerabilities that slip
through the net. However, the survey does show
that those organisations for which the
importance of bespoke software development is
increasing are least likely to outsource this
activity, meaning that organisations do at least
understand that outsourcing code development
could be a less secure practice than keeping this

As well as these findings, the survey brings to

light the fact that many organisations are not
doing enough to actively build security into their
applications at the design and development
stages, nor are they making sufficient use of
automated tools to test the security of the
applications that they develop. It is well known
that fixing security flaws is more expensive that
ensuring that they do not exist in the first place.
It is imperative that security be considered at all
stages of the software development lifecycle to
ensure that organisations allow as few vectors of
attack against their networks to be left open as
possible. In today's world, the penalties for
sloppy security practices that lead to data
leaking out of an organisation are high-and no
one wants to be the subject of the next negative

© 2008 Quocirca Ltd +44 118 948 3360


About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology
and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the
views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-
world practitioners with first hand experience of ITC delivery who continuously research and track the industry
and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and
political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in
any implementation. This capability to uncover and report back on the end-user perceptions in the market enables
Quocirca to advise on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC
has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s
mission is to help organisations improve their success rate in process enablement through better levels of
understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC
products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of
long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise
that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC,
Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist

Details of Quocirca’s work and the services it offers can be found at

© 2008 Quocirca Ltd +44 118 948 3360