Outsourcing in the age of cybersecurity concerns

What you and your software developer should know about security.

outsourcing ts
Credit: Thinkstock

It’s only natural that security comes up when talking about software development. There’s no denying that poor software development practices and subsequent security issues can go hand in hand. The risks can be alarming. Access to an enterprise’s database can be embedded into code. There could be unknown backdoors and other vulnerabilities, allowing hackers to access customer information like usernames, passcodes, credit cards numbers or other sensitive data. Unfortunately, we hear about this all too often in the news.

“Seemingly on a weekly or even daily basis we learn about a cyber security breach on a major corporation,” notes Udi Mokady, the founder, president and CEO of CyberArk, an IT security solutions company, in a J.P Morgan Q&A. “It used to be that unless you were a bank, credit card processor or manufacturer of military weaponry, cyber attackers wouldn’t bother to zero in on you. Now, no one is safe: everyone has something of value. Cyber attackers have broadened their targets, attacking companies of all sizes in industries such as retail, media, energy, manufacturing and IT services, among others.”

So, outsourcing software engineering must make security more risky then, right? Well, no. Developers themselves are without a doubt aware of the risks. For example, The Software Integrity Risk Report, a study conducted by Forrester Consulting and commissioned by Coverity (now a part of Synopsys), says more than 74 percent of respondents state developers are held more accountable for quality and security goals than a year ago. The study is a survey of 336 software development influencers in North America and Europe, and it explores current practices and market trends for managing software quality, security and safety.

Also, developers in the EMEA regions (Europe, the Middle East and Africa) note extreme concern with security in their development projects, based on the EMEA Development Survey by Evans Data. In fact, many developers have taken steps to safeguard projects and apply security mechanisms to combat threats. Some of the most commonly used, according to Evans Data research, are:

  • Context-aware access control
  • Endpoint threat detection
  • Real-time security analytics
  • Cloud access security control
  • And VM monitoring for threat detection

Good software development outsourcing companies should be on top of quality assurance (QA) and testing best practices, as well as overall security issues. However, before you decide to outsource to a software developer, know what measures will be taken to keep your software hacker-proof, and request that your provider define these steps (or define them together). Ask them to tell you specifically how they’ll test your software for security issues, and what controls they recommend.

The IoT and cloud computing play a factor

Another discussion to have with your software development outsourcer is the connection between the internet of things (IoT), cloud computing and software outsourcing. Many software developers are already deeply and unavoidably involved with these technologies, as more and more apps move to the cloud and as the internet of things grows into the billions of connected devices.

Because of the risks associated with these new technologies and connectivity, security has become one of the most serious concerns for IoT software developers. Likewise, in its Internet of Things Development survey, Evans Data found that more than 46 percent of developers surveyed, who are actively developing for IoT, cited security as the primary challenge facing development and adoption.

“Security is important in every discipline, but no more so than in the Internet of Things development arena,” says Janel Garvin, CEO of Evans Data. “Security breaches in IoT can have very real and devastating consequences, and developers feel that the Cloud is both the glue that holds Internet of Things together and also the weakest link.”

Cybersecure software development

In response to significant hacks and security breaches reported in all the major media outlets, cybersecure software development has become even more critical, and enhancing cybersecurity at an enterprise oftentimes requires hiring and/or training an internal workforce. However, is that an expense your company is ready to take on? A proven and widely used alternative is outsourcing to a certified software outsourcing company.

In effect, organizations expect to outsource even more cybersecurity work — all with risk assessment and mitigation, network monitoring and access management, and repair of compromised systems frequently involved — notes an Intel Security study, Hacking the Skills Shortage: A study of the international shortage in cybersecurity skills. For the study, a total of 775 IT decision-makers involved in cybersecurity within their organization, all from numerous countries were surveyed in May 2016. The respondents were from organizations with at least 500 employees and came from both public and private sectors. More than 60 percent of respondents noted they outsource at least some of their cybersecurity work, says the study, which was conducted in partnership with the Center for Strategic and International Studies.

As you plan your company’s software development roadmap, consider cybersecurity and be aware of these factors that could impact its ROI, according to the Intel Security study: acquisition and implementation costs; management efficiency; effectiveness at reducing cyberattacks; and compatibility with existing technology.

If you’re embarking on a software development journey, use the ideas presented here to have serious conversations with your outsourcing partner about the security qualifications of their developers. With the right team, your software will be developed with security top of mind.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO Nov/Dec 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.