Guest View: Addressing security in outsourced applications
By Ryan Berg
August 15, 2009 —
(Page 1 of 3)
Related Search Term(s): outsourcing, security
While outsourcing code development offers many benefits, it is absolutely critical that the team responsible for evaluating these applications makes security its principal criterion when evaluating outsourced development proposals.
There are several overriding security issues that arise when considering outsourced development. All of these concerns require careful planning, execution and monitoring to verify that they are addressed prior to acceptance of the software from the outsourcer. It is essential to adequately define, evaluate and set up security requirement criteria for the security of delivered applications, and they should include security terms in the actual development contract—including implementing secure source code analysis prior to accepting the code.
Security is a critical element in any application development effort, and therefore it should also be a major component of the contract for all outsourced development projects. Many organizations already define service level agreements that set expectations and terms, milestones and deliverables according to a specific timetable. Even in the cases where security requirements are included, few companies have a method for measuring or certifying that the code is secure before it is accepted and deployed. This can lead to dangerous threat vectors for potential security breaches via unsecured code.
A security addendum should require outsourcers to deliver software to a mutually agreeable security audit to determine if the delivered software is free from specific vulnerabilities and vulnerability categories. The “teeth” in the agreement is that the customer has no obligation to pay for or accept any insecure software. The contract should also include critical security metrics that must be met for the software to be deemed acceptable under the terms of the agreement.
Any and all application development contracts should include language and provisions that address security mechanisms, best practices, developer skills and audits.
Appropriate use of security mechanisms: Have the necessary security mechanisms been included to ensure the application performs only the requested functions? Were those security mechanisms deployed properly? Both proper design and proper implementation must be validated to ensure the foundation for effective security is in place.
Secure coding best practices: Does the outsourcing development vendor have a clearly defined set of secure coding best practices, and do these meet the requirements and needs of the customer? How is it documented and validated? Secure coding practices are a defined and well-articulated discipline that should be an integral part of an outsourcing vendor’s development processes.