IBM and Rational Software talks a lot about outsourcing in general and especially about security in outsourcing software development projects . You could find the fresh information and new look to security in outsourcing contracting and subcontracting, risk management or code and data management products like Rational AppScan. There are also available white papers, video and audio podcasts.

rationalsoftware_logo

Today we would like to review and highlight Ryan Berg‘s, IBM Senior Security Architect whitepaper called “Trust, but Verify. How to manage risk in outsourced applications”.

There is the most important part about security in outsourcing subcontracting, secure code transfer, etc. The original whitepaper you could download from the official IBM’s website.

Save money. Speed development. Augment staff resources. Tap expertise not available internally. The reasons for outsourcing application development are many and varied. Outsourcing can be a cost-effective and efficient solution to
the demand for new and specialized applications in today’s Internet-based marketplace.

It is absolutely critical, however, that the team responsible for evaluating the outsourced application makes security one of its principal criteria prior to acceptance of each release. There must be a mutually agreed-upon process to articulate and certify the security of the delivered project. Armed with that information, organizations can manage application risk and balance remediation priorities. This white paper:

  • Discusses the need for addressing security concerns in outsourced applications
  • Outlines a framework for addressing these concerns with outsourcing partners
  • Explores the role of source code review and related technologies to assess and certify outsourced applications

Ensuring the security of the applications that drive organizations can no longer be an afterthought. While it should not be assumed that a software vendor would intend to maliciously insert vulnerabilities into these applications, most vulnerabilities are introduced through lack of training in secure coding practices or insufficiently careful coding when confronted with tight delivery schedules and burgeoning requirements. There are now ways to investigate, repair, and validate the security of the mission-critical applications on which businesses rely, whether developed in-house or by an outsourcing partner.

The benefits of security assurance to the organization include the following:

  • Reduced liability. Addressing vulnerabilities prior to deployment reduces exposure to external and internal threats.
  • Compliance. The reporting and audit requirements are part of the acceptance process. Auditors, compliance officers, and regulators can easily monitor the process of security assurance.
  • Data Integrity. Software security assurance increases confidence in data integrity and in the business processes that are critical to the organization’s mission.
  • Contained cost. The cost of identifying or remediating vulnerabilities in code developed by third parties is a major unplanned expense if not proactively addressed in a SLA. The cost of a security breach to a business can be devastating.
  • Availability and stability. More secure software means an increased ability to withstand attack and compromise, and the increased availability of critical systems.

Explicitly identifying the security requirements of an outsourced project upfront, understanding its value to the organization’s mission, and setting acceptance criteria within the contract itself are critical components to ensure
that the code delivered by the outsourcing provider is secure. The knowledge and tools are now available to make it practical and possible to evaluate security of source code prior to acceptance, and to validate an outsourcer’s
compliance.