|
Save money. Speed development. Augment staff resources. Tap expertise not available internally. The reasons for outsourcing application development are many and varied. Outsourcing can be a cost-effective and efficient solution to the demand for new and specialized applications in today’s internet-based marketplace.
It is absolutely critical, however, that the team responsible for evaluating the outsourced application makes security one of its principal criteria prior to acceptance of each release. There must be a mutually agreed-upon process in place to articulate and certify the security of the delivered project. Armed with that information, organizations are able to manage application risk and balance remediation priorities. This paper will:
__ discuss the need for addressing security concerns in outsourced applications
__ outline a framework for addressing these concerns with outsourcing partners.
__ explore the role of source code review and related technologies to assess and certify outsourced applications
__ provide a sample contractual addendum for including secure code requirements in RFPs and outsourcing contracts. (The Addendum is available as an Exhibit in this document, or as a separate file at www.ouncelabs.com/assurance.)
Outsourcing On the Rise
Outsourcing is, and will continue to be, a significant resource for application development. An InformationWeek study found that 84% of InformationWeek 500 companies outsourced application development and integration1. Across all industries, executives are increasingly turning to outsourced development to deliver their critical applications in order to move rapidly, contain costs, and supplement their own in-house expertise. Gartner estimates that outsourcing of enterprise applications will grow at a compound annual growth rate of 7.3% through 2007.2 The Tower Group estimates that IT work outsourced to vendors abroad by the top 15 global financial institutions will grow by 34% annually over the next four years, from $1 billion today to $2.5 billion in 2008.
Not only are organizations increasingly outsourcing development, but they are choosing to outsource their most mission-critical and sensitive application projects (Fig. 1). E-commerce applications, human resource information systems, financial services applications: solutions using the most critical data, operating the most fundamental processes are increasingly being developed out of house and out of the country4. For businesses that frequently outsource these kinds of applications, ensuring the security state of these delivered projects must be a priority.
Issues for Outsourced Development
There are several overriding security issues that arise when considering outsourced development. All of these concerns require careful planning, execution and monitoring to verify that they are addressed prior to acceptance of the software from the outsourcer. These issues include: __ Appropriate use of security mechanisms: Have the necessary security mechanisms been included to ensure the application performs only the requested functions? Were those security mechanisms deployed properly? Both proper design and proper implementation must be validated to ensure the foundation for effective security is in place.
__ Secure coding best practices: Does the outsourcing development vendor have a clearly defined set of secure coding best practices? How is it documented and validated? Secure coding practices are a defined and well-articulated discipline that should be an integral part of an outsourcing vendor’s development processes.
__ Programmer experience and skill set: Are the programmers educated in those secure coding techniques? How is that documented and defined? What processes are in place to make sure that those techniques are followed? It is vital to make sure that the developers assigned to the project possess the training, skills, and awareness to develop a secure application. In reality, most developers are not properly trained in writing secure code, whether or not they work for an outsourcing firm.
__ Presence of malicious code: Is there an audit process in place to ensure malicious code has not been inserted into the software? Are the auditors trained in the identification of malicious code in software? There should be a process for reviewing critical code for such dangers as viruses, worms, backdoors and trojans.
The Government Weighs In
The regulatory environment reflects the recognition that application security, particularly of outsourced applications, is a vital component of critical infrastructure security as well as data integrity and privacy. Each industry faces its own set of regulatory challenges. For example, the Federal Financial Institutions Examination Council’s (FFIEC) Information Security Handbook, as an implementation guide of the Gramm-Leach-Bliley Act (GLBA), explicitly states that management must establish a vendor management program that includes “establishing security requirements, acceptance criterion, and test plans, [and] reviewing and testing source code for security vulnerabilities."
|
