New Study Shows Outsourced Software Development Greatly Increases Security Risk to Companies

More than 60% of companies neglect security when outsourcing development

SAN MATEO, Calif., April 7, 2008 - Leading application security vendor Fortify Software announced today the findings of a new report released by European information technology analysis group, Quocirca, entitled, Why Application Security is Critical. Today’s businesses are increasingly relying on software development to maintain a competitive advantage, and this new report reveals that the widespread outsourcing of code development is putting these businesses at risk. As organizations increasingly look to outsource application development, they are leaving themselves severely exposed to data predators by failing to mandate security in the development of those critical applications.

According to the report, 50 percent of organizations stating that software code development is business critical outsource almost half of their code development needs. And, according to the report, more than 60 percent of companies don’t mandate security when outsourcing development.

"The findings of this report indicate that not enough is being done by organizations to build security into the applications on which their businesses rely,"; said QuoCirca Analyst Fran Howarth, author of the report.  “Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organizations to thoroughly test all code generated for applications—without which they could be playing into the hands of hackers.";

Recent, highly publicized data breaches at companies such as TS Ameritrade, TJX and Hannaford Brothers illustrate how software applications can often contain exploitable vulnerabilities. According to the Quocirca report, all organizations who admitted to being frequently hacked outsource at least some of their coding practice, with 90 percent of companies outsourcing almost half of their application development.

“The processes and systems that run companies today are built in software applications that were designed to be open, which makes them inherently insecure,"; said Roger Thornton, Founder and Chief Technology Officer of Fortify. “Through outsourcing, customer self-service offerings and the like, enterprises invite people into their network in order to do business better and quicker, but they leave themselves and their corporate assets vulnerable to attack and exploitation.  Without assuring the security of the software applications that run your business, you expose your enterprise to unnecessary and costly risk.";

In the study, financial services companies are identified as the most likely to outsource their code development needs, with 72 percent reporting that they outsource almost half of their development practices. 84 percent of these organizations report that code development is business critical.  Public sector organizations are also big outsourcers, with 55 percent outsourcing over 40 percent of code development.

Other key findings in this study include:

• Organizations are exposing themselves to increased risk through the use of Web 2.0 technologies and Services Oriented Architectures (SOA) by not assuring the security of applications during development
• Using automated solutions for building security into the software development lifecycle translates to lower overall spend on IT security
• The surveyed organizations in the U.S. often fall far behind the U.K and Germany when it comes to building in security from the outset of application development

“These survey results help explain the recent, sudden increase in data breaches and should serve as a wake up call to any executive whose company sits on a pile of mission critical application code,"; said Howard Schmidt, member of Fortify’s Board of Directors and former Cyber Security Advisor for the White House.   

The information in the report is based on a survey of 250 IT directors, senior IT managers and C-level executives in Germany, the UK and the US. IT was completed in December 2007 and January 2008. Those surveyed included organizations from 1,000 employees up to large multinationals within a wide range of industrial sectors.

To access a full copy of the report, visit www.fortify.com/quocirca.

Fortify is offering security professionals the opportunity to benchmark their security practices against industry averages.  This survey is available at: http://www.nkv5.com/fortifysoftware/survey/2008_01_survey.php.

About Quocirca Ltd

Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organizations. Its analyst team is made up of real-world practitioners with first hand experience of ITC delivery who continuously research and track the industry.

Quocirca reports are freely available to everyone and the full text of this report may be requested via www.quocirca.com.

About Fortify Software, Inc.

Fortify® Software products protect companies from the threats posed by security flaws in business-critical software applications. Its software security products—Fortify SCA, Fortify Manager, Fortify Tracer and Fortify Defender—drive down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software’s customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e–commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world–class teams of software security experts and partners. More information is available at www.fortify.com.

Press Contact

Katherine Nellums
Merritt Group
415-247-1663 Nellums@merrittgrp.com