With the recession forcing companies to become more
competitiveoutsourcingis going to grow in
popularity, but at what cost to your company's
security?
Whether you are outsourcing development, services or
maintenance, the bottom line is you are allowing others to create
code and run services that your customers will perceive as coming
from you - meaning that you are responsible for any functional
problems or security breaches.
Outsourcing security
According to Gartner, more than 60% of companies do not do any
security risk mitigation when outsourcing development. An example
of a simple risk mitigation strategy would be to contractually
require outsourced developers to adhere to best practices in secure
coding. Allowing outside software developers into your shop and
then not demanding that they produce secure code raises the white
flag to any malicious or insecurely written code.
Of course it is not easy to guarantee that your programs and
data will remain secure once you have allowed outside applications
to run on your servers or integrated them into your web
presence.
But there are practices you can adopt that will ensure, as much
as possible, that you maintain control over the security of your
company and customer information.
Managing outsourcing
So what should a responsible chief information security officer
be doing?
1. The best time to enforce security at a service provider is
before you sign the contract. Make sure you make specific and
detailed requirements in the contract for what you will and will
not accept.
2. Practice due diligence for code handling and access to
resources. Specify the minimum amount of sensitive data that will
be released to the supplier in order for the supplier to supply the
required services.
3. Require coding standards and security requirements in every
specification between you and the supplier.
4. Demand metric reports for security of the supplier's code
that are repeatable and verifiable.
5. Require that all security requirements are met prior to the
first time the code is executed in your environment with penalties
for non-compliance.
6. Where possible, have a comprehensive code review process for
every piece of code you allow onto your servers.
7. Require that code be vetted for security by the supplier
using an automated source code analyser prior to being submitted to
you.
8. Require a comprehensive review of possible vulnerabilities
resulting from new external services operating in conjunction with
your current services.
9. Require a report specifying security issues and measures
taken to address them for every task and deliverable from the
supplier.
10. Ensure that best practices for ensuring secure program
execution are followed, eg, encryption keys are not passed in the
data stream.
Through training, research, practices and software tools, you
can achieve the best from outsourcing, permitting a productive and
collaborative development environment as well as being able to
maintain the integrity and security of your data environment.
Rob Rachwald is director of product development at Fortify
Software