The continued vigilance required by CIOs and their staff for cybersecurity is, frankly, exhausting. Threats to the integrity of the systems we manage are no longer limited to “cyber attacks” or “cyber theft”. Now, even small business owners are targets of “cyber terrorism”: attacks that are orchestrated by organized groups, or even formally organized teams within a foreign government!
Yet, despite the daunting rise in attacks coming directly from shadowy figures who reside on the dark web, industry experts continue to point out that the majority of security breaches stem from unintentional negligence of trusted insiders (employees, vendor-partners). In fact, some of the most infamous cyber incidents have been traced to a root issue of employee error (e.g, Equifax) and/or vendor error (eg. Target).
Outsourcing is a useful option and, for many IT executives a core strategy for effective operation. A knee-jerk reaction to turn back the time machine and “insource everything” is not necessary, and not a practical reaction to cybersecurity threats.
Therefore, take thoughtful steps to protect your information assets, and protect the productivity gains that you realize through outsourcing.
Assess your risk
You should have already performed a risk assessment of your current systems portfolio: understanding the potential exposure your company faces if a system fails or otherwise becomes corrupted. If not, then start off right with your next outsourced development project and engage an experienced company to perform a risk assessment.
Inventory what applications are, or will be, developed by the outsourcing partner.
Define what potential risk each application poses (shipping disruption, impact to orders, etc.)
Be sure to quantify the business and dollar impact.
Also, assess the security and infrastructure environment through which software development will flow: from design to production deployment. Especially in high collaboration situations like Agile development, you want to take a full view of the digital touch points between yourself and the vendor partner.
Use best practices
Lean into current best practices and security standards will help you navigate around typical security flaws that are unintentionally engineered into systems. For example, we look to guidelines established by the Open Web Application Security Project (OWASP). (The OWASP Top 10 is an extremely useful reference.)
Don’t be afraid to push back on requests for low-level (admin authority) system credentials from the outsourced development team. Anyone who has participated in an audit of IT General Controls knows that admin rights which are too broad, or too widely distributed is a major red flag. If you restrict your outsourcing partner’s system credentials, your company’s software engineers or administrators may have to oversee code base install or software promotion from development to production, but the integrity of your systems is worth the extra effort.
Conduct penetration (pen) testing
Software testing is certainly a standard part of a software development project. However, the appropriate testing of the cybersecurity elements of software is often lacking. We find our customers too often minimize the need for robust penetration testing. It’s imperative for you to perform effective penetration testing whether you outsource or develop software internally.
You might ask, “What kind of pen testing: White Box, Black Box, Grey Box?” Our answer is “Yes – all of the above”.
Industry standards provide a useful guide for your penetration testing plans. In particular we look to testing guidelines provided by:
National Institute of Standards and Technology (NIST)
Open Web Application Security Project (OWASP)
Open Source Security Testing Methodology Manual (OSSTMM)
These standards and guidelines are a lot to digest. It takes specialized knowledge and expertise to conduct a Pen Test that your software development team most likely lacks. Consider outsourcing your Pen Testing to a different company than the one(s) you use for outsourced software development.
Know your software outsourcing partner
Get to know your software outsourcing partner intimately. Familiarize yourself with their hiring practices, training/certification programs, and even the attributes of their workplace, from a physical and cybersecurity perspective.
Confirm what security-related certifications are held – and perpetually maintained by the technical team.
Ask what security policies are in place – and how they are enforced.
What protections are in place in their work environment: physical office security, software antivirus and malware protection, firewalls, etc.?
Does the company conform to standards such as ISO 27001?
Regarding Security Certifications – here are a few certifications which may be relevant to your outsourced DevOps professionals in your outsourced technology environment (and in-house ones, too):
Most IT departments are aware that a new, higher standard for cybersecurity exists – and an internal culture of security awareness is required. Just because you use outsourcing as a way to deliver software, doesn’t mean you can abdicate your standards or lower them because a third party is in the mix. Outsourcing can be done successfully – and that includes software that is securely engineered and delivered by a programming team that adheres to the same high level of security consciousness your internal staff adheres to.
Steve Mezak is the founder and CEO of Accelerance Inc., changing how companies everywhere search for and partner with high-quality global software teams. In this role, he oversees Accelerance’s overall operations, drives strategy for business development and leads the cultivation and recruitment of international partner firms. A technical entrepreneur and internationally recognized outsourcing expert and speaker, Steve has more than 20 years of experience in the IT industry, moving from writing software code to facilitating and managing software development teams and budgets.
Steve came up with Accelerance’s business idea based on his own experience working with an outsourced programming team in Russia in 1998. Then he realized there was no easy way to find qualified engineering firms overseas. He founded Accelerance in 2001 with the goal of helping clients find and select an outsourcing partner that best serves their technical needs and aligns with their corporate culture. Steve has spent the past 15 years traveling the globe and interviewing thousands of software development teams to build Accelerance’s network of partner companies.
Prior to joining Accelerance, Steve co-founded and served as CEO of SendOrder.com Inc., a B2B e-commerce site. Before that, he served as vice president of technical services at Digital Market Inc., an online marketplace for electronic parts that was acquired by Agile Software in 1999. He also co-founded and served as the director of engineering at Aspect Development Inc., a B2B software development company that was acquired by i2 Technologies in 2000.
Steve holds a bachelor’s degree in computer science from Worcester Polytechnic Institute in Massachusetts. He is the proud father of five children, two of whom served in the U.S. Marine Corps, and enjoys recreational water sports including wakeboarding and wake surfing.
The opinions expressed in this blog are those of Steve Mezak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.