Inconsistent software testing invites security risks

Companies could be placing too much trust in the integrity of third-party applications.

The rash of web attacks and data breaches experienced by companies across industries in recent years has provided considerable inspiration for evolving enterprise security tactics. Yet despite all of the attention and investment pouring into these areas, it’s surprising to see just how few companies are willing to trace problems back to the source. According to the latest analysis from application testing specialist Veracode, procurement teams could be setting their organizations up for a fall with their non-existent or inconsistent IT vendor assessment frameworks.

Tempting fate
While developing software from the ground up certainly provides companies with a security advantage, it can be a rather resource-intensive process. As a result, the overwhelming majority of firms have to look outside of office walls for applications that address their needs.

“The widespread adoption of third-party apps and use of external developers in enterprises brings increased risk,” research coordinator Chris Eng explained. “In fact, a typical enterprise has an average of 600 mission-critical applications, about 65 percent of which are developed externally, leaving companies increasingly vulnerable to the security risks found in these apps.”

There’s nothing wrong with seeking outside assistance, of course, so long as you know who you’re dealing with. But the unfortunate reality is, most companies fail to conduct the due diligence required to identify and block applications that could pose considerable risks. According to the research, fewer than one in five enterprises have ever bothered to request a code-level security test from a vendor.

Among those software suites which did submit to independent testing, 40 percent and 71 percent were susceptible to SQL injection and cross-site scripting attacks, respectively. What’s more, nearly two-thirds failed to meet compliance standards on their first try. That’s to say nothing of the fact the a healthy proportion of apps are being given the green light without any formal testing at all.

Strengthening your stance
One of the silver linings to the report was some added insight on which vetting procedures were most effective. Not surprisingly, structured, repeatable testing procedures were a clear winner over inconsistent, ad hoc frameworks. Those taking a formalized approach were able to recruit an average of 38 vendors to participate, according to the research, while the improvised approach only attracted an average of four code-level submissions.

This level of assertiveness and rigidity is especially important for companies operating in highly regulated sectors such as finance and healthcare. According to Dark Reading, the lack of standardized development practices and relatively lax software industry regulation can no longer be tolerated by firms hoping to keep their operations and reputations out of compromising positions. From supply chain partners to end users, all actors must be moving in alignment with the same objectives.

How heavily do your company’s plans depend on third-party software suppliers? What are you doing to make sure their offerings are up to expectation? Let us know what you think in the comments section below!

Matt Williams

A self-proclaimed ‘tech geek’, Matt has worked in technology for a decade and divides his time between blogging and working in IT. A huge New York Giants fan, when not watching football Matt gets his game on playing Call of Duty with his friends and other tech bloggers.