How To Ensure Outsourced Software Development Is Secure

  • May 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View How To Ensure Outsourced Software Development Is Secure as PDF for free.

More details

  • Words: 1,252
  • Pages: 3
Comment Article IT Analysis – How to ensure outsourced software development is secure By Fran Howarth, Principal Analyst, Quocirca Ltd

It depends on who you ask, but Codenomicom of Finland, a provider of software testing tools, reckons that 80% of security problems are caused by programmers writing insecure code. Much of this is the result of development schedules being too tight. Given that software applications contain thousands or even millions of lines of code, it is more than likely that some programming errors are made that could leave the application vulnerable to attack. The fact that software applications can contain flaws is nothing new. But a recent survey by Quocirca of 250 organisations, commissioned by Fortify Software, shows that not only are businesses increasingly relying on bespoke or modified software applications, which they see as critical for their business, but not enough of them are employing automated tools for testing those applications for security vulnerabilities. Another practice that is increasingly being seen is the outsourcing of code development to third parties. This can be a less costly option than developing the code in-house, especially where a business does not have sufficient resources of its own. But when such an essential process is placed in the hands of a contractor, extra care must be taken to ensure that secure coding practices are used and that applications are thoroughly tested. Failure to thoroughly police the software development process has far reaching consequences. If a hacker is able to exploit a flaw in the software, they could use it to attack the application in order to steal sensitive personal or organisational information. In today's increasingly regulated world, this is something that can cost organisations dear, not just in terms of the price tag for cleaning up after the attack, but in lost business owing to the negative publicity that is likely to ensue.

© 2008 Quocirca Ltd

But if a flaw is found in software that was developed by a third party, who should bear the responsibility for fixing those errors? If an organisation bought an appliance such as a printer that was found to be faulty, resulting in a fire on its premises, it is in a position to sue the manufacturer and claim compensation. In the same way, liability for faulty software should be pushed to the contractor to which it was outsourced and should be written into the contract. When outsourcing any business process to a third party, it is essential that a good contract is written and that a watertight service-level agreement is put in place. This is something that some regulations actually mandate when outsourcing application development. For example, the FFIEC (Federal Financial Institutions Examination Council) implementation guide for GLBA (Gramm-Leach-Bliley Act) states that organisations must establish a vendor management programme that includes "establishing security requirements, acceptance criteria, test plans, and reviewing and testing source code for security vulnerabilities." This may be a US regulation, but its impact is being felt by some European organisations as well, and there are a host of other regulations demanding higher levels of security. Technology vendor Ounce Labs has been advising organisations since 2002 on how to work with outsourcers to ensure that code is developed with security in mind and that the appropriate testing tools are used. It has worked with lawyers to develop suitable contracts for organisations to use, which it makes available on its website. According to Ounce Labs, the following are some best practices that organisations should follow when outsourcing software code development:

http://www.quocirca.com

Define upfront what is meant by security, including the security environment in which the application is to be used and what other resources could be exposed

+44 118 948 3360

Comment Article by a security vulnerability, and include the definition in the contract put in place Validate the security mechanisms to be used upfront and set requirements for their use Ensure that the third party is using software coding best practices and that they are documented and validated Demand proof of the level of training, skills and security awareness among the third party's development staff Ensure that expectations are laid out in the service-level agreement, including milestones and deliverables Define acceptance criteria for the security of applications delivered Provide a list of the most critical flaws that are deemed unacceptable Mandate measures for certifying that code is secure, including the use of automated testing tools Define steps required in the audit process and ensure that all code is audited and certified before payment is made Ensure that the right to audit code and perform security checks is written into the contract Define processes for remediation by the third party and ensure that responsibility for bearing the costs of remediation or legal liability, even after the application has been delivered, are written into the contract Specify in the contract that security checks and monitoring will be continued throughout the lifecycle of that application and lay out the third party's responsibility for fixing flaws found at a later date. Such practices will ensure that the most secure code possible is delivered, leaving organisations less vulnerable to security incidents. But, given the size of most software applications and the fact that it is almost impossible to write prefect code, however small the program, organisations that follow the practices outlined above will also have covered their backs be ensuring that the responsibility for fixing vulnerabilities lies firmly in the hands of the outsourcer—something that is essential since flaws discovered once an application is in use are the most expensive to fix.

© 2008 Quocirca Ltd

http://www.quocirca.com

+44 118 948 3360

Comment Article

About Quocirca Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms.

Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com

© 2008 Quocirca Ltd

http://www.quocirca.com

+44 118 948 3360

Related Documents