Most organizations use real data during the testing and development of applications, but are not confident about their ability to protect it, leaving a gaping security hole that can result in a data breach, according to a survey released Tuesday.
The survey of 1,350 application development and testing practitioners (701 in the Uniter States and 652 in the United Kingdom) conducted by the Ponemon Institute and sponsored by application development tool vendor Micro Focus, found that 80 percent of U.S. respondents use real data during the testing and development of applications. Organizations use customer and employee records, credit cards and other confidential business information to test applications – all of which is at risk to suffering a data breach, Mannes Neuer, a senior product manager at Micro Focus told SCMagazineUS.com on Tuesday.
Sensitive data used to test applications often winds up on thumb drives and laptops, or in the hands of offshore outsourcers and other third parties, which causes a significant risk for data breaches, Neuer said. In the survey, 75 percent of U.S. respondents said they send real data to third-parties for development and testing.
The majority of survey respondents said their organization does not have adequate policies or technologies in place to protect the real data used in development and testing, according to the survey. Seventy-one percent of U.S. respondents said they do not have adequate policies and procedures to protect testing data and 77 percent said they do not have adequate security technologies, the survey found.
“Organizations do not have the right security policies and procedures in place, and that leads to the insider threat — people make mistakes and these mistakes lead to the loss or theft of confidential information,” Larry Ponemon, chairman and founder of the Ponemon Institute, told SCMagazineUS.com on Tuesday.
And cybercriminals have caught on that the testing and development domain is an area of weakness, Ponemon said.
Eighty-two percent of U.S. survey respondents said they have experienced at least one data breach during the past year and the root causes of the data breach were linked most frequently to negligent insiders, followed in number by malicious insiders and third-party outsourcers. Though some outsourcers create a higher level of safety, other smaller organizations don’t have particularly good or even adequate safeguards, Ponemon said.
In addition, the development and testing arena is generally managed by creative people who are not as compliance-oriented as those in IT operations, Ponemon said. But these individuals typically deal with huge stores of sensitive information. The majority of survey respondents said they use files with more than one terabyte of real data during development and testing.
Typically, the normal end-user would only access a few customer records as needed, Ponemon said.
“On development side, they are running every record; the file size is much larger, and there’s a much higher probability of a catastrophic or massive data breach,” Ponemon said.
Survey respondents had a wide variety of opinions as to who they believe is responsible for protecting data during development and testing. Twenty-one percent of U.S. respondents said the IT security department was responsible, 20 percent said it’s no one party’s duty and 18 percent said it’s the IT operations group’s responsibility. Another 15 percent said the business unit sponsoring the development should be held accountable and 7 percent said it was the responsibility of the software development group.
“Once data goes into the testing environment, people take it home on thumb drives — it gets all over the place; it’s much more exposed,” Neuer said.