Security luminaries like Oracle's Mary Ann Davidson and Cigital's Gary McGraw have long argued poorly written, outdated software is the root of all evil. A new study suggests that evil has a chokehold on the nation's enterprise networks.
Palo Alto, Calif.-based Business Performance Management (BPM) Forum released a study this week in which IT professionals acknowledged their computer systems are brimming with "obsolete, redundant and unused" software. For many companies, maintaining antiquated applications costs tens of billions of dollars a year.
Nevertheless, BPM Forum concluded, "nearly three quarters of these companies have no process in place for retiring outmoded software and less than half conduct regular software audits to see how much software is on the network."
The questions asked weren't security specific. But forum Executive Director Donovan Neale-May said it was an underlying theme in the answers they got back.
"Quality is directly tied to how vulnerable software is," he said. "Obsolete, dated applications will be more prone to compromise. The older the software, the riskier it is to use. They haven't been designed to be resilient against attacks. We didn't ask specifically about security, but security is below the surface in a lot of answers."
Neale-May said the forum -- a group of 500 senior executives "dedicated to furthering operational visibility and financial accountability at global corporations" -- surveyed 226 IT professionals and C-level executives in the third quarter of 2004. Respondents work for companies ranging from small and mid-market businesses to global corporations with billions of dollars in revenue. The survey was underwritten by Teaneck, N.J.-based Cognizant Technology Solutions and Borland Software Corp. of Scotts Valley, Calif.
More than 40% of respondents estimated that unwanted applications drain more than 10% of their IT budgets, while 10% estimate the real cost to be more than 20%. Seventy percent said their companies have redundant, deficient or obsolete applications on the network, and the problem is even more serious in larger companies with revenues of more than $500 million.
"Security is clearly part of the process," Neale-May said. "From our standpoint, it's another added cost. If your application doesn't pass security muster, my view is it should be killed off."
Among the other findings:
- Nearly 77% said they're either dependent or extremely dependent on the performance of their software.
- Some 64% admit they're unable to benchmark the value of their software investments.
- Nearly half give their company low marks for the way IT spending is aligned with strategic priorities and business needs.
- About 40% conduct companywide software audits only on an "as-needed basis," while 13.4% never conduct them at all.
Bill Harrod, vice president of research and intelligence operations for Virginia-based security firm Cybertrust, agreed there's an inescapable link between obsolete software and vulnerability.
"Secure coding is part of it, but obsolescence is another part of it," he said. "You wouldn't fly in an airplane that's three years outside of its maintenance cycle. Yet big companies use software that's three years out of the maintenance cycle."
Harrod said his company tries to emphasize how critical it is that enterprises evaluate older software. "We regularly tell organizations they'll never win the patch management fight because the proliferation of software and their patching requirements becomes an endless cycle," he said. "But if we can identify the most critical software, we can manage. We need to address applications that are at the end of their life. To take advantage of vulnerabilities in outdated software can become a huge security breach for an organization."
To executives that would cite the expensiveness of replacing outdated software, Harrod responded: "It may be expensive to replace it, but it's even more expensive trying to stay ahead of the exploits."