Fortunately, there are fewer and fewer barriers preventing access to a worldwide supply of skilled developers and valuable resources. People and services can be located almost anywhere and still contribute to an organisation’s software development or online presence.

The good news is that the resources are out there. The bad news is that it’s your responsibility to maintain security and vigilance over people and practices that often are out of your control in day-to-day business.

Whether you are outsourcing development, services or maintenance, the bottom line is you are allowing others to create code and run services that your customers will perceive as coming from you—meaning that you are responsible for any functional problems or security breaches.

Does outsourcing mean giving up the farm?

According to a Gartner recent survey, more than 60 per cent of companies don’t do any security risk mitigation when outsourcing development. An example of a simple risk mitigation strategy would be to contractually require outsourced developers to adhere to best practices in secure coding. Allowing outside software developers into your shop and then not demanding that they produce secure code raises the white flag to any malicious or insecurely-written code.

Of course it is not simple to guarantee that your programs and data will remain secure once you’ve allowed outside applications to run on your servers or integrated them into your web presence. But there are practices you can adopt that will ensure—as much as possible—that you maintain control over the security of your company and customer information.

What’s a responsible CISO to do?

1. The best time to ensure that your service provider is taking security seriously is before you sign the contract. Make sure you make specific and detailed requirements in the contract for what you will and will not accept.


2. Practice due diligence for code handling and access to resources. Specify the minimum amount of sensitive data that will be released to the vendor in order for the vendor to supply the required services.


3. Require coding standards and security requirements in every specification between you and the vendor.


4. Demand metric reports for security of the vendor’s code that are repeatable and verifiable.


5. Require that all security requirements are met prior to the first time the code is executed in your environment with penalties for non-compliance.


6. Where possible, have a comprehensive code review process for every piece of code you allow onto your servers.


7. Require that code be vetted for security by the vendor using an automated source code analyser prior to being submitted to you.


8. Require a comprehensive review of possible vulnerabilities resulting from new external services operating in conjunction with your current services.


9. Require a report specifying security issues and measures taken to address them for every task and deliverable from the vendor.

10. Ensure that best practices for ensuring secure program execution are followed, e.g. encryption keys are not passed in the data stream.

Help is at hand

Security specific companies are able to advise organisations on how to get the most out of their outsourcing partners to ensure that the code and services being used comply with the best practices in software risk mitigation, application vulnerability detection and secure software development.

Through training, research, practices and software tools, companies can achieve the best from outsourcing, permitting a productive and collaborative development environment as well as being able to maintain the integrity and security of their data environment.