TechnologyAccounting SoftwareIn-house systems risk

In-house systems risk

As many as 70% of finance applications that are written in-house contain serious design flaws that leave companies open to attack.

Security consultancy @stake, which presented its findings at the Compsec security conference in London last week, tested more than 60 of its customers’ purpose-built financial applications. They had been developed to support a specific business process such as clients checking their bank balance.

Many of the flaws should have been picked up easily at the design phase, when they would also have been cheaper to fix. For every £1 spent mending such faults at the design stage, it costs £6.50 during implementation, £15 in testing, and £100 at the maintenance stage.

Avi Corfus, executive vice president at @stake, said: ‘We found a recurrent pattern of design flaws, with the three main ones being inadequate authentication and access controls, an implicit trust with regard to user inputs, and poor user session management.’

But companies who paid attention to application design found themselves much less exposed to financial risk, he explained. Organisations focusing on end-to-end encryption from the early design stage experienced 90% less business risk than those who failed to take it into consideration.

Those taking user authentication and authorisation equally seriously were exposed to 88% less risk, while ensuring against the misuse of user input from the outset led to 78% less risk. ‘A lot of security professionals’ time is spent justifying the need for IT security. But investing in security programmes has a significant impact on business assessment risk and a positive rather than negative return on investment,’ Corfus said.

Companies experiencing the most benefit from such initiatives are those that do not see security as discretionary, but rather build it in to all of their business processes, he explained.

Quality assurance at all stages of the development lifecycle is also key. And it is imperative for organisations to take an active interest in their developers by investing in training and up-to-date tools and methodologies.

‘The worst situation is when companies go to third parties, tell them what they want, and the third parties just hand them over the application at the end of the process,’ Corfus said.

Related Articles

5 key tech innovations helping accountants transform their businesses

Accounting Software 5 key tech innovations helping accountants transform their businesses

3w Heather Darnell, Founder of Ask the BOSS
Finance and the tech foundation: what’s needed to deliver impactful business insights?

Accounting Software Finance and the tech foundation: what’s needed to deliver impactful business insights?

3m Workday | Sponsored
Best accounting software for businesses in the UK

Accounting Software Best accounting software for businesses in the UK

3m Accountancy Age, Reporters
Making sense of enterprise tech concepts for finance teams

Accounting Software Making sense of enterprise tech concepts for finance teams

4m Workday | Sponsored
Open Banking: what you need to know

Accounting Software Open Banking: what you need to know

4m Edward Berks, Xero
Accountancy in the digital age: Flexibility, agility, efficiency

Accounting Software Accountancy in the digital age: Flexibility, agility, efficiency

6m Pegasus Software | Sponsored
Sage purchases Intacct in its largest ever acquisition

Accounting Software Sage purchases Intacct in its largest ever acquisition

10m Alia Shoaib, Reporter
5 tips for SMEs to protect cash flow

Accounting Software 5 tips for SMEs to protect cash flow

10m Alia Shoaib, Reporter