Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

A look at the risks of outsourcing IT

InfoSecurity Europe : 12 March, 2009  (Special Report)
Rob Rachwald of Fortify Software offers advice on how to tackle the tricky decision as to whether and how to achieve secure outsourcing
See our events guide listing for more details

It seems that every day the world becomes more fast-paced and competitive. To stay in the game frequently demands that you turn to outside developers and services in order to meet tight schedules and even tighter budgets and stay ahead of the competition.

Fortunately, there are fewer and fewer barriers preventing access to a worldwide supply of skilled developers and valuable resources. People and services can be located almost anywhere and still contribute to your software development or online presence.

The good news is that the resources are out there. The bad news is that it's your responsibility to maintain security and vigilance over people and practices that often are out of your control in day-to-day business.

Whether you are outsourcing development, services or maintenance, the bottom line is you are allowing others to create code and run services that your customers will perceive as coming from you—meaning that you are responsible for any functional problems or security breaches.

According to a Gartner recent survey, more than 60 percent of companies don't do any security risk mitigation when outsourcing development. An example of a simple risk mitigation strategy would be to contractually require outsourced developers to adhere to best practices in secure coding. Allowing outside software developers into your shop and then not demanding that they produce secure code raises the white flag to any malicious or insecurely-written code.
Of course it is not simple to guarantee that your programs and data will remain secure once you've allowed outside applications to run on your servers or integrated them into your Web presence. But there are practices you can adopt that will ensure—as much as possible—that you maintain control over the security of your company and customer information.

What's a responsible CISO to do?

1 The best time to enforce security at a service provider is before you sign the contract. Make sure you make specific and detailed requirements in the contract for what you will and will not accept.
2 Practice due diligence for code handling and access to resources. Specify the minimum amount of sensitive data that will be released to the vendor in order for the vendor to supply the required services.
3 Require coding standards and security requirements in every specification between you and the vendor.
4 Demand metric reports for security of the vendor's code that are repeatable and verifiable.
5 Require that all security requirements are met prior to the first time the code is executed in your environment with penalties for non-compliance.
6 Where possible, have a comprehensive code review process for every piece of code you allow onto your servers.
7 Require that code be vetted for security by the vendor using an automated source code analyzer prior to being submitted to you.
8 Require a comprehensive review of possible vulnerabilities resulting from new external services operating in conjunction with your current services.
9 Require a report specifying security issues and measures taken to address them for every task and deliverable from the vendor.
10 Ensure that best practices for ensuring secure program execution are followed, e.g. encryption keys are not passed in the data stream.

Companies such as Fortify Software are able to advice companies on how to get the most out of your outsourcing partners to ensure that the code and services you use comply with the best practices in software risk mitigation, application vulnerability detection and secure software development.

Through training, research, practices and software tools, companies can achieve the best from outsourcing, permitting a productive and collaborative development environment as well as being able to maintain the integrity and security of your data environment.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo