Financial Organizations Lagging in Application Security Requirements

Ounce Labs
February 18, 2009 | COMMENTS

A recent survey by Quocirca Ltd. that examines application development outsourcing practices from 200 of the largest organizations in the UK and the U.S. discovered that financial and transportation organizations are lagging in implementing application security requirements in their outsourced development projects.

Key survey findings include:

• Retailers test outsource applications at twice the rate of financial services firms. Eighty-two percent of retailers test their applications for the most common vulnerabilities while only 40 percent of finance firms do.
• Only 32.5 percent of finance firms check code with automated scanners compared to 62.5 percent of retailers.
• Only 47.5 percent of finance firms mandate controls over who handles their data compared to 70 percent in the public sector and 72.5 percent of retailers.
• Only 37.5 percent of finance firms demand any certification of their service providers compared to 82.5 percent in public sector and retail organizations.

Outsourcing continues to be a strategy used by organizations to reduce costs and increase value, but it is not without risks. As organizations push out more of their custom software application development needs to outsourcing partners, careful planning is required in terms of building stringent software security requirements into contracts and creating a process and metrics to ensure that those requirements are met. 

To read the full report, click here (registration required). Ounce Labs specializes in static application security testing (SAST) to strengthen application security and protect confidential information.