Best Practices for Securing Outsourced Development
Outsourcing application development allows organizations to realize cost savings and provides the flexibility necessary to scale. However, it also introduces significant risk in the form of security vulnerabilities and malicious backdoors. Enterprises face an uphill battle in controlling security risks across their extended software supply chain. Identifying, controlling and reducing the unbounded risk and capital requirements currently absorbed by organizations resulting from insecure software are critical. Veracode recommends five key steps which help enterprises implement security into their outsourced application development.
1. Take a Risk-Based Approach to Application Security
You have selected an application as a good candidate for outsourcing, but it is also necessary to understand its impact to the business. Determining business criticality, or assurance level, is an important step in obtaining a clear understanding of the security risk in your outsourced application portfolio. The business criticality should be based on six core potential impact dimensions including a.) inconvenience, distress or damage to standing or reputation; b.) financial loss or agency liability; c.) harm to organization programs or stakeholders; d.) unauthorized release of sensitive information; e.) personal safety and f.) civil or criminal violations. Download a worksheet to determine the business criticality of your applications…
2. Establish Security Metrics and SLAs with Outsourcing Providers
Outsourced software development contracts typically emphasize features, quality, time and costs. Thus, the burden and risks of application security has fallen solely on the enterprise. Organizations need to establish clear metrics and SLAs surrounding application security with their outsourcing partners as part of the procurement and contract processes. Download sample language that you can embed in your development contracts and RFPs…
3. Conduct Independent Application Security Testing
Gartner recommends that application security testing should be mandatory for all outsourced development and maintenance. However, until now, true testing of third-party software has been nearly impossible due to the high cost and effort required to conduct manual code reviews and the availability of source code. Veracode provides an independent rating for software security risk based on its automated, on-demand service that allows Veracode to analyze 100 % of outsourced code without requiring access to source code or requiring costly manual code reviews.
4. Set Security Thresholds and Remediation Rules for Outsourced Applications
Enterprises can leverage software security ratings to decide which applications are secure enough to be accepted or deployed and which applications need remediation by the outsourcing provider before software acceptance. Perhaps equally as important is to specifically call out “remediation rules” in the development contract. Frequently, the parties have very different views on what constitutes remediation. Remediation rules detail who is responsible for fixing security issues, remediation closure re-testing, and expected resolution timelines.
5. Outsource Applications to Providers That Have Obtained Security Verification
Application security expertise should become a key element in the evaluation of outsourced application partners. As part of their selection process, enterprises should ensure that they work only with partners that have been formally validated by an independent quality seal of approval such as Veracode’s “Verified by Veracode” assurance program.