Software security vulnerabilities rising due to lack of knowledge in development teams, lack of processes and systems all contributing to increased costs and risk

Sydney 27 June, 2011 – Pure Hacking, Australia’s leading specialist information security consultancy has challenged the global software development community to improve its development standards and build secure software. The consultancy believes that the corresponding rise in software vulnerabilities and increased risks to data security, business operations and reputational damage have reached a critical point requiring intervention. In line with its vendor-neutral position, the consultancy has confirmed that the open framework Software Assurance Maturity Model, or OpenSAMM methodology, is well placed to define and measure the security resilience of organisations and the software it relies on.

For Rob McAdam, CEO of Pure Hacking the current lack of security understanding in software development teams has reached its tipping point. “There is a growing lack of understanding about the security required in the development of software, whether it is developed in-house or via outsourcing.

Software outsourcing is growing annually by 30% in India alone and this growth will continue across the global outsourcing hotspots. By participating and contributing to this increased use of outsourcing, organisations unknowingly may be introducing increased levels of security risk in exchange for short term profits,” he outlined.

McAdam believes that development teams may sometimes lack the knowledge of the minimum security requirements for a project. Often, they are under tremendous resource constraints and may not follow processes and technology that is necessary for secure coding and architecture in software development projects. Many software projects are seen as additional overhead by Boards and senior management and as a result, the organisation outsources the projects due to cost requirements.

He claims these same decision makers need to consider this overhead as an investment, “This is something that can protect your smooth and secure business operation. Investing in better protected software is estimated at 100 times less costly as fixing insecure solutions.”

Additionally he believes that without meaningful change to software development processes, the costs of re-working insecure software will also rise.

“Insecure software now has a dollar value attached to it and it is no longer the case that it is a minor inconvenience to address security breaches. Hackers are destroying businesses. The rising incidence of hacking will continue and new legislation will not be able to control it,” he claimed.

In its role as a specialist information security consultant, Pure Hacking advises that there is no ‘silver bullet’ to eliminate software security vulnerabilities. Web Application Firewalls (WAF’s) and database security tools help reduce the risk, but do not ultimately provide the solution to the issue of underlying security protocols.

The consultancy is now appealing to the larger business community to introduce a more rigorous standards-based methodology to improve built-in software security standards.

“The days of when it made commercial sense to take a product to market as quickly as possible is part of our past,” advised McAdam. “The costs are now simply too high when things go wrong. The business public are inevitably going to query why they are being provided with an insecure software product in the first place. They will want to know how developers can justify charging them for the remediation process.”

“Major corporations have remedied software security issues to the tune of hundreds of millions of dollars per crisis recently. If they had adequately addressed security during the design and development stages, the old adage of ‘do it once and do it properly’ would have applied,” he concluded.

McAdam further believes that the incorporation of the OpenSAMM methodology is ideal for outsourced project managers and developers. OpenSAMM sets a clearly articulated benchmark for all participants.

“We aim to incorporate OpenSAMM into at least a third of our clients’ projects over the next twelve months. My team has forecast this to be one of major growth areas as it directly addresses the issue of rapid growth and risk assessment. We believe this to be one of the greatest cost-efficient investments organisations can make in security today.”

Pure Hacking’s software security solution utilises OpenSAMM (Software Assurance Maturity Model) initiatives to incorporate an end-to-end development process that is uniquely tailored to address the specific software security risks facing each organisation. This answers the question of how organisations plan, build and maintain secure web and mobile applications – whether built internally or supplied by third parties.