Enterprise App Developers Use Insecure Data
Page 1 of 1
That's according to a study of IT pros conducted and released today by the Ponemon Institute and sponsored by Micro Focus.
The results of the survey are no surprise, Larry Ponemon, chairman and founder of the Ponemon Institute, told InternetNews.com.
"Over decades in security research, I have seen the real effort put into the production environment, not development and testing," he said. "But wherever the criminal or a company's competitor gets the data, it's still a real problem."
Part of the problem stems from the fact that real data is being used in development environments, and lots of it, according to the survey. Respondents said that the most common types of data used are, in order, customer records, employee data, and credit card numbers.
"That's surprising," Ponemon said. "There are PCI [Payment Card Industry standards] compliance issues with the use of credit card data."
The majority of organizations reported using 1 to 50 terabytes of data in development environments -- 61 percent in the UK and 75 percent in the U.S.
That suggests that companies are running full lists through development systems instead of using a random sample. "I visited China and met with the CIO and CTO of a bank I cannot name. They told me their average sample file is 300 million records," Ponemon said.
The Institute has been reporting for some time that data breaches can cost $200 per record. Ponemon pointed out that a breach of millions of records would therefore cost hundreds of millions of dollars.
Yet organizations claim to be aware of the risk. Data used in development environments is "very important" or "important" according to 60 percent of UK respondents and 61 percent of U.S. respondents.
Nor do organizations feel immune to risk. Only 25 percent of UK companies and 18 percent of U.S. companies reported not suffering a data breach during the past year, the survey found. (The figures are roughly in line with earlier research Ponemon conducted that found that 85 percent of U.S. businesses and 70 percent of UK businesses had been breached.)
The vast majority in the latest Ponemon study blamed insiders or third-party outsourcers for breaches, rather than hackers.
It's possible that organizations aren't defending themselves against a known risk because nobody is responsible for handling it. Twenty percent in the U.S. and 11 percent in the UK admitted that nobody had responsibility for data in test environments, according to the study.
Respondents in the two groups diverged sharply on who should be responsible for securing the data in the development environment. In the UK, 60 percent said that developers or the business units sponsoring development had responsibility, while 20 percent said IT was responsible for the data. In the U.S., only 22 percent said that developers or business units were responsible, while 39 percent said IT was responsible for the data.
It's also possible that the developers themselves lack a security focus. Ponemon said that in interviews with 63 people who said they participated in the survey, he found that security awareness was not high among developers.
"Issues of compliance and privacy are not part of the mantra of developers," he said. "Corporate IT is now focused on compliance, on procedures and policies, but I'm not sure that's been translated fully to the development side."