Securing Outsourcing: Building Security Into Outsourced Development Projects

Save money. Speed development. Augment staff resources. Tap expertise not available internally. The reasons for outsourcing application development are many and varied. Outsourcing is, and will continue to be, a significant resource for application development.

There are several overriding security issues that arise when considering outsourced development. These concerns range from the simple coding errors outsourced developers may introduce, like a buffer overflow, to design flaws such as improper access control or unvalidated input. All of these concerns require careful planning, execution and monitoring to verify that they are addressed prior to acceptance of the software from the outsourcer.

Whether driven by policy or regulatory requirements, it is critical that those responsible for evaluating an outsourced application make security one of the principal criteria for acceptance. There must be a mutually agreed-upon process in place to articulate, and allow the certification of, the security of the delivered project. Armed with that information, organizations are then able to manage application risk and balance remediation priorities.

Traditionally, organizations were unable to employ a reliable, repeatable method for ascertaining whether their security requirements had been met, instead relying on best practices and due diligence in selecting a partner, or worse, discovering post-deployment that the delivered code was vulnerable. The Ounce solution now provides organizations with an accurate and efficient way to certify outsourced applications through its patented automated software risk analysis solution:

• Precise results: Accurate source code analysis with confirmed vulnerabilities to provide objective measures against objectives
• Actionable reporting: Comprehensive dashboard, trend, and compliance reporting to simplify negotiations and remediation
• Sophisticated remediation advice: Industry-leading knowledgebase provides guidance to increase productivity and enforce secure coding best practices.

Organizations must take into account the issues at stake in outsourcing development projects, including what steps to take to ensure that security requirements are established, implemented, and validated throughout the life of the project.