Wipro and Fortify have announced a joint Software Assurance Center hosting a managed service to test the security of their customers applications. This is a significant development, as it moves this capability into the managed services arena and is another step towards the recognition of application vulnerabilities as a primary security issue.
Security testing should be an integral part of all software development activities
Operating system suppliers, including Microsoft, have made great strides in reducing the number of vulnerabilities in the operating system layer. This has raised the profile of application vulnerabilities as hackers have switched their attention to the next weakest link. The US National Institute of Standards and Technology (NIST) estimates that applications now account for 92% of all vulnerabilities. Applications are vulnerable to cross-site scripting (particularly in Web 2.0 environments), SQL injection, buffer overflow and malicious file execution, amongst other attacks. It is imperative that vulnerabilities are eliminated from all externally facing applications, and desirable that they are eliminated from internal applications because complex workflows make it difficult to assess the criticality of a potential weakness. This means that vendor patches should be applied to all commercially acquired applications, and that security testing should become an integral part of the process of developing bespoke applications.
Wipro is a leading IT services company and its new initiative is welcome. In common with other software development outsourcers, it has been security testing software internally for some time. It has an existing relationship with Fortify as a supplier of tools. It is now making the security testing service available to its customers. It will not be limited to code that Wipro has written, and customers can use the service on software they develop themselves or acquire from third parties. Although the service is based on Fortifys products, Wipro adds value by analysing the results and producing reports in which each issue is assessed and prioritised.
There is an opportunity for service-providing companies to differentiate their offerings
Application security testing is now well supported by products, some of which are integrated with software development tools. These have been adopted by large software development organisations with the necessary in-house skills to adopt them. There are also some services available to examine general code quality, although these are not explicitly focused on security concerns. At the other end of the spectrum, external penetration testing services are offered by several services companies on the managed services model. These have been boosted by the demands of PCI Compliance, the payment card industry standard that requires most payment card processors to be regularly tested using an external service. This is a black box service that simply assesses deployed systems for compliance.
Sign up for CIO Asia eNewsletters.