UK Code is Least Secure, Report Finds

The UK ranks bottom of the league for the security of its code, according to a new report.

The research from software analytics firm Cast studied over one billion lines of code in nearly 2,000 enterprise applications running across 300 enterprises from three continents. Industries included financial services, insurance, telcos, manufacturing, energy, utilities and government departments.

Cast’s Crash Report covered five categories: robustness, security, performance efficiency, changeability and transferability. The majority of applications were written in Java-EE, followed by COBOL and .Net.

While the overall quality of code was considered poor, it’s worrying to see security perform particularly badly. The UK performed worst of all geographies, and the report was particularly critical of the security of code written and deployed in the UK. The US was also criticized, while France came out on top.

Cast said security scores varied significantly across different parameters, and the lowest scores recorded in that category were among the lowest across all the tests it conducted. This means there is a significant amount of insecure code running in the wild, Cast said.

Financial services organizations scored worst in terms of the security of their code, followed by retail and telcos. Given the amount of personal data those companies hold - names, addresses, bank details, credit card information and more - there is a huge risk of a significant data breach via poor code. Government bodies tested by Cast scored highest.

Away from security, Cast said that code developed in smaller teams tends to be better. Teams of fewer than 10 generally performed best across the test areas, teams of 10 to 20 also performed well, but teams of over 20 people struggle to create quality code. That’s generally because larger teams struggled to find consistency in design and coding decisions, the report said.

“Lack of security architecture combined with porous code in legacy systems produce easy targets for hackers. This is especially concerning in Financial Services applications,” said Dr. Bill Curtis, SVP and chief scientist at Cast Research Labs. “Despite the push to ‘go digital’ our CRASH Report findings indicate there is a significant amount of bad code lingering in enterprise systems. The takeaway for IT is clear: poor software quality is exposing many businesses to excessive risk.”

Cast recommends organizations keep development teams to under 10, and train staff in secure coding practices. Incentivizing their use is a good idea as well. Use of advanced measurement and analysis technology is beneficial, Cast said. A hybrid development model of waterfall and agile produces the best code, according to the report.

What’s Hot on Infosecurity Magazine?