How to protect your information assets and productivity gains through software outsourcing Credit: Thinkstock The continued vigilance required by CIOs and their staff for cybersecurity is, frankly, exhausting. Threats to the integrity of the systems we manage are no longer limited to “cyber attacks” or “cyber theft”. Now, even small business owners are targets of “cyber terrorism”: attacks that are orchestrated by organized groups, or even formally organized teams within a foreign government! Yet, despite the daunting rise in attacks coming directly from shadowy figures who reside on the dark web, industry experts continue to point out that the majority of security breaches stem from unintentional negligence of trusted insiders (employees, vendor-partners). In fact, some of the most infamous cyber incidents have been traced to a root issue of employee error (e.g, Equifax) and/or vendor error (eg. Target). Outsourcing is a useful option and, for many IT executives a core strategy for effective operation. A knee-jerk reaction to turn back the time machine and “insource everything” is not necessary, and not a practical reaction to cybersecurity threats. Therefore, take thoughtful steps to protect your information assets, and protect the productivity gains that you realize through outsourcing. Assess your risk You should have already performed a risk assessment of your current systems portfolio: understanding the potential exposure your company faces if a system fails or otherwise becomes corrupted. If not, then start off right with your next outsourced development project and engage an experienced company to perform a risk assessment. Inventory what applications are, or will be, developed by the outsourcing partner. Define what potential risk each application poses (shipping disruption, impact to orders, etc.) Be sure to quantify the business and dollar impact. Also, assess the security and infrastructure environment through which software development will flow: from design to production deployment. Especially in high collaboration situations like Agile development, you want to take a full view of the digital touch points between yourself and the vendor partner. Use best practices Lean into current best practices and security standards will help you navigate around typical security flaws that are unintentionally engineered into systems. For example, we look to guidelines established by the Open Web Application Security Project (OWASP). (The OWASP Top 10 is an extremely useful reference.) Don’t be afraid to push back on requests for low-level (admin authority) system credentials from the outsourced development team. Anyone who has participated in an audit of IT General Controls knows that admin rights which are too broad, or too widely distributed is a major red flag. If you restrict your outsourcing partner’s system credentials, your company’s software engineers or administrators may have to oversee code base install or software promotion from development to production, but the integrity of your systems is worth the extra effort. Conduct penetration (pen) testing Software testing is certainly a standard part of a software development project. However, the appropriate testing of the cybersecurity elements of software is often lacking. We find our customers too often minimize the need for robust penetration testing. It’s imperative for you to perform effective penetration testing whether you outsource or develop software internally. You might ask, “What kind of pen testing: White Box, Black Box, Grey Box?” Our answer is “Yes – all of the above”. Accelerance, Inc. Industry standards provide a useful guide for your penetration testing plans. In particular we look to testing guidelines provided by: National Institute of Standards and Technology (NIST) Open Web Application Security Project (OWASP) Open Source Security Testing Methodology Manual (OSSTMM) These standards and guidelines are a lot to digest. It takes specialized knowledge and expertise to conduct a Pen Test that your software development team most likely lacks. Consider outsourcing your Pen Testing to a different company than the one(s) you use for outsourced software development. Know your software outsourcing partner Get to know your software outsourcing partner intimately. Familiarize yourself with their hiring practices, training/certification programs, and even the attributes of their workplace, from a physical and cybersecurity perspective. Confirm what security-related certifications are held – and perpetually maintained by the technical team. Ask what security policies are in place – and how they are enforced. What protections are in place in their work environment: physical office security, software antivirus and malware protection, firewalls, etc.? Does the company conform to standards such as ISO 27001? Regarding Security Certifications – here are a few certifications which may be relevant to your outsourced DevOps professionals in your outsourced technology environment (and in-house ones, too): ECSP: EC-Council Certified Secure Programmer CSSLP: Certified Secure Software Lifecycle Professional GSSP-JAVA: GIAC Secure Software Programmer-Java GWEB: GIAC Certified Web Application Defender GSSP-.NET: GIAC Secure Software Programmer – .NET CEH: Certified Ethical Hacker CES: Certified Encryption Specialist Software outsourcing can be secure Most IT departments are aware that a new, higher standard for cybersecurity exists – and an internal culture of security awareness is required. Just because you use outsourcing as a way to deliver software, doesn’t mean you can abdicate your standards or lower them because a third party is in the mix. Outsourcing can be done successfully – and that includes software that is securely engineered and delivered by a programming team that adheres to the same high level of security consciousness your internal staff adheres to. Related content opinion What technology risks can cause software outsourcing to fail? Looking at what risks technology can pose to software development outsourcing. By Steve Mezak Apr 24, 2018 6 mins Outsourcing Risk Management Enterprise Applications opinion What management risks can cause software outsourcing to fail? Looking at what risks management can pose to software development outsourcing. By Steve Mezak Apr 04, 2018 7 mins Outsourcing Risk Management Enterprise Applications opinion What business risks can cause software outsourcing to fail Looking at what business risks can be posed to software development outsourcing. By Steve Mezak Mar 14, 2018 7 mins Outsourcing Risk Management Enterprise Applications opinion 15 risk areas for software development outsourcing Watch for warning signs when your company is looking to successfully implement software outsourcing. By Steve Mezak Feb 06, 2018 7 mins IT Strategy Outsourcing Software Development Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe