Comment
Article
IT Analysis – The changing face of application security
Software applications are the backbone of
businesses today. A recent survey conducted by
Quocirca, commissioned by Fortify Software, of
250 organisations in the US, the UK and
Germany, found that developing or modifying
software applications is business critical or very
important to two-thirds of organisations. Not
only that, but reliance on software development
is increasing and bespoke application
development is seen as a competitive
differentiator for end-user organisations.
Not only are bespoke or modified software
applications becoming more important, but they
are increasingly being web-enabled over
networks that are being opened up to access by
employees, business partners, suppliers and
customers. This increases productivity by
allowing for greater collaboration and by
speeding up the rate at which transactions can
be performed.
But it is a double-edged sword. Many large
enterprises have thousands of web-enabled
applications running over their networks and
their developers are under pressure to release
new applications at an ever faster rate. The
internet is also no longer the static marketing
tool for organisations that characterised it during
the 1990s. Dynamically changing content is the
order of the day—and that means that
applications are frequently updated, with extra
functionality being added at a fast and furious
pace.
Each of these applications may contain
thousands, or even millions of lines of code,
making it likely that at least some bugs have
been incorporated along the way. Accepted
levels are that there will be 0.5 significant errors
per thousand lines of code, so a fairly small,
10,000 line application will have five significant
errors within it—somewhere. Each of those
errors could make the application vulnerable to
attack and that is playing into the hands of
hackers. Gone are the days of script kiddies;
now a new breed of hacker has emerged that
© 2008 Quocirca Ltd http://www.quocirca.com
By Fran Howarth, Principal Analyst, Quocirca Ltd
hunt for insecurely written code and
vulnerabilities in software applications that will
allow them to steal information contained in
those applications. And, to an increasing extent,
those attacks are specifically targeted—at an
individual organisation or a certain individual.
The stakes are set to rise even higher as
organisations turn to practices that could
actually increase their risk of exposure even
further for three reasons.
First, the survey showed that organisations are
fast adopting service oriented architectures
(SOA), with 66% of respondents having already
adopted, or are in the process of adopting, a
SOA. Among German respondents, that
percentage rises to 84%, 71% of which are
exposing legacy applications—potentially leaving
them more vulnerable to attack as some of these
applications would originally have been intended
for internal use only and therefore developed
without concern for today's security threats.
Second, organisations are also increasingly using
next-generation Web 2.0 programming
techniques and tools. The survey shows that
45% of respondents make use of
JavaScript/AJAX programming tools in order to
write applications that provide users with a much
higher degree of interaction than traditional
applications, and that enable dynamic, on-the-fly
content to be produced. However, these new
programming techniques actually increase the
chance of applications containing vulnerabilities.
For example, many Web 2.0 programming
techniques make use of JavaScript as the data
transport mechanism, which exposes more of the
business logic of the applications such as access
controls at the browser level, instead of at the
server level, meaning that it is more exposed to
users, and therefore to hackers. The problems
involved are not yet widely understood, but a
significant number of organisations report that
they are encountering vulnerabilities that are
specific to the new programming tools.
+44 118 948 3360
 Comment
Article
The third potentially insecure practice to which
organisations are exposing themselves is that of
trusting the development of their software
applications to third parties. This requires that
watertight service-level agreements be put in
place to demand the highest standards of
security be used in the development and testing
of the software, and that the third parties can be
held accountable for vulnerabilities that slip
through the net. However, the survey does show
that those organisations for which the
importance of bespoke software development is
increasing are least likely to outsource this
activity, meaning that organisations do at least
understand that outsourcing code development
could be a less secure practice than keeping this
in-house.

As well as these findings, the survey brings to

light the fact that many organisations are not
doing enough to actively build security into their
applications at the design and development
stages, nor are they making sufficient use of
automated tools to test the security of the
applications that they develop. It is well known
that fixing security flaws is more expensive that
ensuring that they do not exist in the first place.
It is imperative that security be considered at all
stages of the software development lifecycle to
ensure that organisations allow as few vectors of
attack against their networks to be left open as
possible. In today's world, the penalties for
sloppy security practices that lead to data
leaking out of an organisation are high-and no
one wants to be the subject of the next negative
headline.

© 2008 Quocirca Ltd http://www.quocirca.com +44 118 948 3360

 Comment
Article

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology
and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the
views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-
world practitioners with first hand experience of ITC delivery who continuously research and track the industry
and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and
political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in
any implementation. This capability to uncover and report back on the end-user perceptions in the market enables
Quocirca to advise on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC
has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s
mission is to help organisations improve their success rate in process enablement through better levels of
understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC
products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of
long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise
that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC,
Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist
firms.

Details of Quocirca’s work and the services it offers can be found at

http://www.quocirca.com

© 2008 Quocirca Ltd http://www.quocirca.com +44 118 948 3360