39% of businesses yet to introduce security-by-design in products & apps

39% of businesses yet to introduce security-by-design in products & apps

products and applications

A fresh study has revealed that over a third of organisations are pushing their products and applications out to the market without pathing security vulnerabilities in such products and without introducing security testing from the beginning of the software development lifecycle.

The study carried out by Outpost24 found that even though hackers are adept at exploiting security weaknesses in IoT products to cause data breaches at organisations, a large number of businesses are still not prioritising security and are not focussing on eliminating vulnerabilities in new products before pushing them out to the market.

The firm found that 39 percent of organisations don’t introduce security testing from the beginning of the software development lifecycle and 34 percent of them bypass security to get products out to market faster, even though 37 percent of organisations have experienced attacks that could compromise their data and applications in the cloud.

Most products & applications won't pass penetration tests, say security pros

Out of 300 security professionals interviewed by Outpost24, 29 percent admitted that their products and applications will not survive a security penetration test and 64 percent said their customers could easily be breached as a result of unpatched vulnerabilities in their products and applications.

The fact that 92 percent of security professionals understand the importance of carrying out security testing on new products and applications suggests that they do not have the final say on whether a product or application is ready to be pushed out to the market.

Also, as many as 39 percent of organisations not introducing security testing from the beginning of the product or application lifecycle indicates that cyber security is not a priority for many organisations.

Our study shows that even despite continuous warnings, organisations today are still leaving their customers at risk because of a failure to address security vulnerabilities in products before they are introduced to market. If organisations are not addressing these security vulnerabilities, they are taking a huge gamble and abusing customer trust,” said Bob Egner, VP at Outpost24.

"Negligence towards security will eventually lead to disastrous outcomes for technology and application vendors and their customers. There should be no excuses today, especially when security is such a big issue and so many breaches, which have happened up and down the technology stack, are well publicised," he added.

According to Egner, organisations must put their products and applications through penetration testing and automated application scanning to unearth software vulnerabilities and to understand which are the most dangerous to businesses and their customers and then work to remediate them first.

Government to force organisations into implementing security by design in products and applications

Earlier this year, appreciating the fact that many organisations may not introduce cyber security in their products at the design stage on their own, the UK government launched fresh consultations as a prelude to a new regulatory framework that would make it mandatory for IoT device manufacturers to make their products secure by design.

"Whilst Government have previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design. So today we are launching our consultation on regulatory next steps for consumer IoT, which builds on the extensive work that we have done to date with industry," said Digital Minister Margot James when addressing attendees at the IET conference.

"Companies such as HP, Centrica Hive, Panasonic and Green Energy Options have all pledged their public support for the Code and we encourage other manufacturers and retailers to follow suit. But many of the internet-connected devices currently on the market still lack even the most basic cyber security provisions. This is unacceptable. The Government has a duty of care to its citizens, to help make sure they can access and use the internet safely," she added.

While the government promised to invest up to £70 million through its Industrial Strategy Challenge Fund to support research into the infusion of security and protection solutions into hardware and chip designs at the development stage, it also promised to invest a further £30 million to ensure the safety and security of Internet-connected smart devices, 420 million of which would be deployed across the UK within the next three years.

The additional £30 million investment will also be used as part of the government's Ensuring the Security of Digital Technology at the Periphery programme and will be used to ensure the safety and security of IoT devices and in finding solutions to combine cyber and physical safety and security with human behaviour, influence new regulatory response and validate and demonstrate novel approaches.

"We want the UK to be a safer place to live and work online. We’re moving the burden away from consumers to manufacturers, so strong cyber security is built into the design of products. This funding will help us work with industry to do just that, improving the strength and resilience of hardware to better protect consumers from cyber-attacks," said James.

Copyright Lyonsdown Limited 2020

Top Articles

Universal Health Services lost $67m to a Ryuk ransomware attack last year

Universal Health Services said the cyber attack cost it $67 million in remediation efforts, loss of acute care services, and other expenses.

How the human immune system inspired a new approach to cyber-security

Artificial intelligence is being used to understand what’s ‘normal’ inside digital systems and autonomously fight back against cyber-threats

Solarwinds CEO blames former intern for hilarious password fiasco

SolarWinds has accused a former intern of creating a very weak password for its update server and storing it on a GitHub server for months.

Related Articles