The continued vigilance required by CIOs and their staff for cybersecurity is, frankly, exhausting. Threats to the integrity of the systems we manage are no longer limited to \u201ccyber attacks\u201d or \u201ccyber theft\u201d. Now, even small business owners are targets of \u201ccyber terrorism\u201d: attacks that are orchestrated by organized groups, or even formally organized teams within a foreign government!\nYet, despite the daunting rise in attacks coming directly from shadowy figures who reside on the dark web, industry experts continue to point out that the majority of security breaches stem from unintentional negligence of trusted insiders (employees, vendor-partners). In fact, some of the most infamous cyber incidents have been traced to a root issue of employee error (e.g, Equifax) and\/or vendor error (eg. Target).\nOutsourcing is a useful option and, for many IT executives a core strategy for effective operation. A knee-jerk reaction to turn back the time machine and \u201cinsource everything\u201d is not necessary, and not a practical reaction to cybersecurity threats.\nTherefore, take thoughtful steps to protect your information assets, and protect the productivity gains that you realize through outsourcing.\nAssess your risk\nYou should have already performed a risk assessment of your current systems portfolio: understanding the potential exposure your company faces if a system fails or otherwise becomes corrupted. If not, then start off right with your next outsourced development project and engage an experienced company to perform a risk assessment.\n\nInventory what applications are, or will be, developed by the outsourcing partner.\nDefine what potential risk each application poses (shipping disruption, impact to orders, etc.)\nBe sure to quantify the business and dollar impact.\n\nAlso, assess the security and infrastructure environment through which software development will flow: from design to production deployment. Especially in high collaboration situations like Agile development, you want to take a full view of the digital touch points between yourself and the vendor partner.\nUse best practices\nLean into current best practices and security standards will help you navigate around typical security flaws that are unintentionally engineered into systems. For example, we look to guidelines established by the Open Web Application Security Project (OWASP). (The OWASP Top 10 is an extremely useful reference.)\nDon\u2019t be afraid to push back on requests for low-level (admin authority) system credentials from the outsourced development team. Anyone who has participated in an audit of IT General Controls knows that admin rights which are too broad, or too widely distributed is a major red flag. If you restrict your outsourcing partner\u2019s system credentials, your company\u2019s software engineers or administrators may have to oversee code base install or software promotion from development to production, but the integrity of your systems is worth the extra effort.\nConduct penetration (pen) testing\nSoftware testing is certainly a standard part of a software development project. However, the appropriate testing of the cybersecurity elements of software is often lacking. We find our customers too often minimize the need for robust penetration testing. It\u2019s imperative for you to perform effective penetration testing whether you outsource or develop software internally.\nYou might ask, \u201cWhat kind of pen testing: White Box, Black Box, Grey Box?\u201d Our answer is \u201cYes \u2013 all of the above\u201d.\n Accelerance, Inc.\nIndustry standards provide a useful guide for your penetration testing plans. In particular we look to testing guidelines provided by:\n\nNational Institute of Standards and Technology (NIST)\nOpen Web Application Security Project (OWASP)\nOpen Source Security Testing Methodology Manual (OSSTMM)\n\nThese standards and guidelines are a lot to digest. It takes specialized knowledge and expertise to conduct a Pen Test that your software development team most likely lacks. Consider outsourcing your Pen Testing to a different company than the one(s) you use for outsourced software development.\nKnow your software outsourcing partner\nGet to know your software outsourcing partner intimately. Familiarize yourself with their hiring practices, training\/certification programs, and even the attributes of their workplace, from a physical and cybersecurity perspective.\n\nConfirm what security-related certifications are held - and perpetually maintained by the technical team.\nAsk what security policies are in place - and how they are enforced.\nWhat protections are in place in their work environment: physical office security, software antivirus and malware protection, firewalls, etc.?\nDoes the company conform to standards such as ISO 27001?\n\nRegarding Security Certifications - here are a few certifications which may be relevant to your outsourced DevOps professionals in your outsourced technology environment (and in-house ones, too):\n\nECSP: EC-Council Certified Secure Programmer\nCSSLP: Certified Secure Software Lifecycle Professional\nGSSP-JAVA: GIAC Secure Software Programmer-Java\nGWEB: GIAC Certified Web Application Defender\nGSSP-.NET: GIAC Secure Software Programmer - .NET\nCEH: Certified Ethical Hacker\nCES: Certified Encryption Specialist\n\nSoftware outsourcing can be secure\nMost IT departments are aware that a new, higher standard for cybersecurity exists - and an internal culture of security awareness is required. Just because you use outsourcing as a way to deliver software, doesn\u2019t mean you can abdicate your standards or lower them because a third party is in the mix. Outsourcing can be done successfully - and that includes software that is securely engineered and delivered by a programming team that adheres to the same high level of security consciousness your internal staff adheres to.