Over a million developers have joined DZone.

Security Implications of Outsourcing

DZone's Guide to

Security Implications of Outsourcing

While outsourcing or taking on contractors can help in scaling your development efforts, make sure you have the tools in place to secure the code they produce.

· Security Zone
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

Police in the Netherlands recently contacted more than 20,000 people who they suspect had their personal data stolen by a malicious web developer. This developer had built “backdoors” into applications he created for various businesses as a contractor. With the information he stole, it is alleged that he made online purchases, opened gambling accounts and impersonated victims' family members.

Outsourcing application development allows organizations to realize cost savings and provides the flexibility necessary to scale. However, as the recent Netherlands incident illustrates, it also introduces significant risk. How do you know if a contractor is well-versed in secure coding best practices that avoid introducing vulnerabilities? And, as in the Netherlands case, are you confident this contractor won’t add malicious backdoors to your code? How well do you know this contractor? Has the organization or individual been vetted by a third-party security firm?

There’s a lot of talk about shifting security “left” (earlier in the development lifecycle) in the age of Agile and DevOps. But it’s not enough to add security to the development lifecycle – you need to secure the entire lifecycle through deployment. As this case in the Netherlands illustrates, if you only rely on early testing and neglect security later in the process, you are setting yourself up for failure. By shifting security right as well, you are securing both the code you develop internally and the code you outsource or purchase and don’t have a hand in developing.

Before you turn to outside development, consider the following recommendations for assessing the security of outsourced code, both before and after you implement it.

Understand the impact: Before outsourcing an application’s development, clearly understand the application’s impact on the business. For instance, consider whether a breach of the application would affect the organizations’ reputation or lead to a substantial financial loss. Does the application handle sensitive data that would be exposed if the application is breached? Are there personal safety implications in the case of a breach?

Validate with a third party: Use application security expertise as a key element in the evaluation of outsourced application partners. Ensure that you work only with partners that have been and use secure development tools in their development lifecycle.

Put it in the contract: Include security metrics and SLAs in contracts with outsourcing providers. These requirements should be in alignment with your security policy for internally developed applications of a similar risk rank.

Test: Conduct independent application security testing with a third party with no vested interest in the findings. Leverage software security ratings to decide which apps are secure enough to be accepted or deployed.

Create time limits: Establish a timeline for addressing those security findings that are unacceptable. Remediation timeframes can be as simple as “all Very High severity findings must be addressed within 14 days” to as a granular as prescribing time frames for specific CWEs, such as “CWE 89 must be remediated within five business days.”

Implement runtime protection: Even after thoroughly vetting the outsourcer and its code, be sure to add a layer of protection to any and all apps you deploy. The threat from externally developed applications reinforces the need to assess the security of applications throughout the development lifecycle – from development to QA to production. It’s important to use technologies that assess applications currently running on your network, including those that you were not involved in coding.

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

outsourcing ,security ,security compliance ,secure code

Published at DZone with permission of Suzanne Ciccone. See the original article here.

Opinions expressed by DZone contributors are their own.


Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.


{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}