Software developers putting data at risk

Over half of UK companies use actual rather than disguised customer data to test applications during the development process, according to a survey by Compuware Corporation.

The report, created in conjunction with privacy management firm the Ponemon Institute, concludes that this practice compromises critical information as these environments are less secure than production environments.

Testing data may be exposed to a variety of unauthorised sources, including in-house staff, consultants, partners and even offshore personnel.

Some 35 per cent of respondents outsourced their application testing, and 38 per cent shared live data with the outsourced organisation.

"For many organisations, large customer data files represent an easy and cheap source of data to use when testing applications," said Dr Larry Ponemon, chairman and founder of the Ponemon Institute.

"But this process introduces a huge element of risk to the challenge of maintaining the integrity of sensitive information, particularly when third parties and offshore resources are involved."

The study points to a need for greater awareness and accountability over how sensitive data is used within organisations.

"Common practices as they relate to all uses of live data must be evaluated to assess risk, and safeguards implemented to ensure data security," said Dr Ponemon.
Of the 58 per cent of companies using actual customer data, 79 per cent use customer files and 68 per cent use customer lists.

Examples of the live data include employee and vendor records, customer account numbers, credit card numbers, Social Security numbers and other credit, debit or payment information.

Furthermore, 43 per cent of respondents admitted to having no way of knowing whether the data used in testing had been compromised, and 17 per cent reported not protecting live data used in software development.

The report also highlighted the confusion surrounding the ownership of sensitive test data.

Some 11 per cent of respondents did not know who was responsible for securing test data, 43 per cent believed that the development organisation is responsible and 14 per cent thought that the business units sponsoring the development were responsible.