In-house systems risk

Security consultancy @stake, which presented its findings at the Compsec security conference in London last week, tested more than 60 of its customers’ purpose-built financial applications. They had been developed to support a specific business process such as clients checking their bank balance.

Many of the flaws should have been picked up easily at the design phase, when they would also have been cheaper to fix. For every £1 spent mending such faults at the design stage, it costs £6.50 during implementation, £15 in testing, and £100 at the maintenance stage.

Avi Corfus, executive vice president at @stake, said: ‘We found a recurrent pattern of design flaws, with the three main ones being inadequate authentication and access controls, an implicit trust with regard to user inputs, and poor user session management.’

But companies who paid attention to application design found themselves much less exposed to financial risk, he explained. Organisations focusing on end-to-end encryption from the early design stage experienced 90% less business risk than those who failed to take it into consideration.

Those taking user authentication and authorisation equally seriously were exposed to 88% less risk, while ensuring against the misuse of user input from the outset led to 78% less risk. ‘A lot of security professionals’ time is spent justifying the need for IT security. But investing in security programmes has a significant impact on business assessment risk and a positive rather than negative return on investment,’ Corfus said.

Companies experiencing the most benefit from such initiatives are those that do not see security as discretionary, but rather build it in to all of their business processes, he explained.

Quality assurance at all stages of the development lifecycle is also key. And it is imperative for organisations to take an active interest in their developers by investing in training and up-to-date tools and methodologies.

‘The worst situation is when companies go to third parties, tell them what they want, and the third parties just hand them over the application at the end of the process,’ Corfus said.

Related reading

HMRC banknotes