TechnologyAccounting SoftwareIn-house systems risk

In-house systems risk

As many as 70% of finance applications that are written in-house contain serious design flaws that leave companies open to attack.

Security consultancy @stake, which presented its findings at the Compsec security conference in London last week, tested more than 60 of its customers’ purpose-built financial applications. They had been developed to support a specific business process such as clients checking their bank balance.

Many of the flaws should have been picked up easily at the design phase, when they would also have been cheaper to fix. For every £1 spent mending such faults at the design stage, it costs £6.50 during implementation, £15 in testing, and £100 at the maintenance stage.

Avi Corfus, executive vice president at @stake, said: ‘We found a recurrent pattern of design flaws, with the three main ones being inadequate authentication and access controls, an implicit trust with regard to user inputs, and poor user session management.’

But companies who paid attention to application design found themselves much less exposed to financial risk, he explained. Organisations focusing on end-to-end encryption from the early design stage experienced 90% less business risk than those who failed to take it into consideration.

Those taking user authentication and authorisation equally seriously were exposed to 88% less risk, while ensuring against the misuse of user input from the outset led to 78% less risk. ‘A lot of security professionals’ time is spent justifying the need for IT security. But investing in security programmes has a significant impact on business assessment risk and a positive rather than negative return on investment,’ Corfus said.

Companies experiencing the most benefit from such initiatives are those that do not see security as discretionary, but rather build it in to all of their business processes, he explained.

Quality assurance at all stages of the development lifecycle is also key. And it is imperative for organisations to take an active interest in their developers by investing in training and up-to-date tools and methodologies.

‘The worst situation is when companies go to third parties, tell them what they want, and the third parties just hand them over the application at the end of the process,’ Corfus said.

Related Articles

Accountancy in the digital age: Flexibility, agility, efficiency

Accounting Software Accountancy in the digital age: Flexibility, agility, efficiency

3w Pegasus Software | Sponsored
Sage purchases Intacct in its largest ever acquisition

Accounting Software Sage purchases Intacct in its largest ever acquisition

5m Alia Shoaib, Reporter
5 tips for SMEs to protect cash flow

Accounting Software 5 tips for SMEs to protect cash flow

5m Alia Shoaib, Reporter
UK behind foreign markets in digital accounting, but gap is narrowing

Accounting Software UK behind foreign markets in digital accounting, but gap is narrowing

7m Alia Shoaib, Reporter
The rise of the progressive accountant

Accounting Software The rise of the progressive accountant

8m Emma Smith, Managing Editor
Making Tax Digital: Revolution or revolt?

Accounting Software Making Tax Digital: Revolution or revolt?

8m Emma Smith, Managing Editor
Making Tax Digital: Is HMRC’s recent system fault a cause for concern?

Accounting Software Making Tax Digital: Is HMRC’s recent system fault a cause for concern?

8m Emma Smith, Managing Editor
Four reasons why SME owners should switch to cloud accounting

Accounting Software Four reasons why SME owners should switch to cloud accounting

9m Emma Smith, Managing Editor