by Steve Mezak

Cybersecurity considerations for outsourcing software development

Opinion
Oct 18, 2017
CybercrimeEnterprise ApplicationsSecurity

How to protect your information assets and productivity gains through software outsourcing

outsourcing ts
Credit: Thinkstock

The continued vigilance required by CIOs and their staff for cybersecurity is, frankly, exhausting. Threats to the integrity of the systems we manage are no longer limited to “cyber attacks” or “cyber theft”. Now, even small business owners are targets of “cyber terrorism”: attacks that are orchestrated by organized groups, or even formally organized teams within a foreign government!

Yet, despite the daunting rise in attacks coming directly from shadowy figures who reside on the dark web, industry experts continue to point out that the majority of security breaches stem from unintentional negligence of trusted insiders (employees, vendor-partners). In fact, some of the most infamous cyber incidents have been traced to a root issue of employee error (e.g, Equifax) and/or vendor error (eg. Target).

Outsourcing is a useful option and, for many IT executives a core strategy for effective operation. A knee-jerk reaction to turn back the time machine and “insource everything” is not necessary, and not a practical reaction to cybersecurity threats.

Therefore, take thoughtful steps to protect your information assets, and protect the productivity gains that you realize through outsourcing.

Assess your risk

You should have already performed a risk assessment of your current systems portfolio: understanding the potential exposure your company faces if a system fails or otherwise becomes corrupted. If not, then start off right with your next outsourced development project and engage an experienced company to perform a risk assessment.

  • Inventory what applications are, or will be, developed by the outsourcing partner.
  • Define what potential risk each application poses (shipping disruption, impact to orders, etc.)
  • Be sure to quantify the business and dollar impact.

Also, assess the security and infrastructure environment through which software development will flow: from design to production deployment. Especially in high collaboration situations like Agile development, you want to take a full view of the digital touch points between yourself and the vendor partner.

Use best practices

Lean into current best practices and security standards will help you navigate around typical security flaws that are unintentionally engineered into systems. For example, we look to guidelines established by the Open Web Application Security Project (OWASP). (The OWASP Top 10 is an extremely useful reference.)

Don’t be afraid to push back on requests for low-level (admin authority) system credentials from the outsourced development team. Anyone who has participated in an audit of IT General Controls knows that admin rights which are too broad, or too widely distributed is a major red flag. If you restrict your outsourcing partner’s system credentials, your company’s software engineers or administrators may have to oversee code base install or software promotion from development to production, but the integrity of your systems is worth the extra effort.

Conduct penetration (pen) testing

Software testing is certainly a standard part of a software development project. However, the appropriate testing of the cybersecurity elements of software is often lacking. We find our customers too often minimize the need for robust penetration testing. It’s imperative for you to perform effective penetration testing whether you outsource or develop software internally.

You might ask, “What kind of pen testing: White Box, Black Box, Grey Box?” Our answer is “Yes – all of the above”.

pen test chart Accelerance, Inc.

Industry standards provide a useful guide for your penetration testing plans. In particular we look to testing guidelines provided by:

  • National Institute of Standards and Technology (NIST)
  • Open Web Application Security Project (OWASP)
  • Open Source Security Testing Methodology Manual (OSSTMM)

These standards and guidelines are a lot to digest. It takes specialized knowledge and expertise to conduct a Pen Test that your software development team most likely lacks. Consider outsourcing your Pen Testing to a different company than the one(s) you use for outsourced software development.

Know your software outsourcing partner

Get to know your software outsourcing partner intimately. Familiarize yourself with their hiring practices, training/certification programs, and even the attributes of their workplace, from a physical and cybersecurity perspective.

  • Confirm what security-related certifications are held – and perpetually maintained by the technical team.
  • Ask what security policies are in place – and how they are enforced.
  • What protections are in place in their work environment: physical office security, software antivirus and malware protection, firewalls, etc.?
  • Does the company conform to standards such as ISO 27001?

Regarding Security Certifications – here are a few certifications which may be relevant to your outsourced DevOps professionals in your outsourced technology environment (and in-house ones, too):

  • ECSP: EC-Council Certified Secure Programmer
  • CSSLP: Certified Secure Software Lifecycle Professional
  • GSSP-JAVA: GIAC Secure Software Programmer-Java
  • GWEB: GIAC Certified Web Application Defender
  • GSSP-.NET: GIAC Secure Software Programmer – .NET
  • CEH: Certified Ethical Hacker
  • CES: Certified Encryption Specialist

Software outsourcing can be secure

Most IT departments are aware that a new, higher standard for cybersecurity exists – and an internal culture of security awareness is required. Just because you use outsourcing as a way to deliver software, doesn’t mean you can abdicate your standards or lower them because a third party is in the mix. Outsourcing can be done successfully – and that includes software that is securely engineered and delivered by a programming team that adheres to the same high level of security consciousness your internal staff adheres to.