Businesses in Asia are increasingly taking steps to ensure software code developed by third parties are as secure as can be.
Foo Meng Yiah, chief of business management office at NCS Group, told ZDNet Asia that the company has seen a rise in the number of requests from customers in Asia to perform mandatory code testing as well as build security features into the code.
Mandatory code testing, said NCS, is one way to verify if security policy requirements have been implemented in the code.
In addition, customers are also asking for their in-house IT security or audit teams to be involved in application development projects, Foo said in an e-mail. This helps to ensure compliance of the customer's security needs.
"Over the last few years, security concerns have been one of the areas raised in software development in Asia," noted Foo. "Customers, aware of the importance of application security, are seeking more information on security issues and how to build security in the source code during the development stage."
Foo said for software development projects, NCS has a team of specialists to test code using tools such as static source code analyzer.
"This team will scan the codes and a report will be sent to the project team to fix any security violations flagged," she said. "Any security violations will be resolved and the source codes passed to the test team to be analyzed again."
Over at Parkway Group Healthcare, Kenneth Thean, group vice president for IT and CIO, said the organization has a set of standard guidelines for application security and design that vendors need to adhere to.
Parkway is in the midst of rolling out its Enterprise Wide Hospital Information System integrated with Oracle E-Business Suite applications, which is undertaken by Tata Consultancy Services.
"We did not focus on malicious ware or backdoors being embedded within the application code itself, [mainly because] our applications are within the organization's internal network and there are stringent policies and audit measures in place to prevent any abuse by staff," said Thean, who is also the chief medical information officer of Parkway. "We also carry out regular internal and external audits to identify any flaws in the organization's system--including application environment and policies--and network security and quickly rectify them as and when they are found.
"Moving forward, Parkway does recognize that, as we expand our systems across the regions, a re-look at our existing policy [is necessary]," he added.
Upon completion of the project next year, Parkway will have full access to the source code, paving the way for in-house review and testing. But Thean pointed out that given the complexity and labor required for the task, the group will explore using tools to automate the processes.
Another issue to consider is the objectivity of security testing, said Thean. Testing done in-house or by the vendor engaged to deliver the applications may not be the best option; instead an independent third party audit should be commissioned.
Elsewhere, however, not all companies pay as much attention to application security testing. Referring to findings of a study of 250 C-level executives in the United States, United Kingdom and Germany, application security testing company Veracode said last month that 60 percent of companies that outsource the development of critical applications do not demand for security to be built into their applications.
The report, released by U.K.-based business and IT analyst Quocirca, also noted that 90 percent of organizations outsource over 40 percent of their code.
Play video
There are currently no comments for this post.