Enterprise Strategy Group | Getting to the bigger truth.TM

Homegrown Software is Not Secure
Jon Oltsik   |   Tuesday January 11, 2011  |  1 comment | Filed under: Uncategorized

Ask 100 security professionals to name a weak link in the cyber security chain, and a majority will point to software vulnerabilities. This is especially true in two areas: 1) Internally-developed software where developers may lack the skills or motivation to write secure code, and 2) Web applications where rapid development and functionality trump security concerns.

How vulnerable are today’s web apps? Here’s how the IBM X-Force answered this question in its 2008 Trend and Risk Report:

“Web applications in general have become the Achilles Heel of Corporate IT Security. Nearly 55% of vulnerability disclosures in 2008 affect web applications, and this number does not include custom-developed applications (only off-the-shelf packages). Seventy-four percent of all Web application vulnerabilities disclosed in 2008 had no available patch to fix them by the end of the year.”

ESG Research looked further into software security in its recently published report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure” (note: this report is available for free download at the ESG website, www.enterprisestrategygroup.com). Security professionals working at critical infrastructure organizations were asked, “To the best of your knowledge, has your organization ever experienced a security incident directly related to the compromise of internally-developed software?” Alarmingly, 30% answered “yes.”

What does all this mean? IBM X-Force data clearly demonstrates an abundance of insecure web applications out in the market. ESG’s data shows that many critical infrastructure organizations are not only writing insecure code but are also being compromised as a result of these vulnerabilities. Yikes!

Insecure software is a problem that is too often swept under the rug because it isn’t easily addressed with a tactical threat management tool Du Jour. Yes, software security requires new skills and processes but unless we make these changes we will continue to be vulnerable. If your lights go out sometime soon, insecure software may be to blame.

Related posts:

  1. Cisco, NetApp, and VMware Advance Secure Multi-Tenancy
  2. Are IT Vendors Getting a “Free Pass” On Cyber Security?
  3. Corporate Executives Remain Lukewarm on Cyber Security
  4. Microsoft SDL Progresses and Demonstrates Software Assurance Leadership
  5. NASDAQ Hack Just Another Example of Cyber Security Vulnerabilities

Tags: , , ESG Research, , , Software Assurance, software security, Web Applications, X-Force

All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.

One Response to “Homegrown Software is Not Secure”

  1. Tweets that mention Homegrown Software is Not Secure | Insecure About Security -- Topsy.com says:
    January 11, 2011 at 12:10 pm

    [...] This post was mentioned on Twitter by Jon Oltsik. Jon Oltsik said: [Blog] Homegrown Software is Not Secure http://dlvr.it/D6PF2 [...]

    Reply

Add a comment

Search
About ESG | Register | Contact Us | Disclosure Policy | Terms of Use | Privacy Policy
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site