Outsourcing part 2 of 2 - Software Development

Outsourcing is a very common practice today - whether outsourcing a specific facet of your business, or a fringe business need. However, have you done enough to protect your business and your customers data? How much is enough? This article will help answer these questions. This article is part 2 of 2 on outsourcing practices, and deals more specifically with the pitfalls of outsourcing software development.

Software Development Outsourcing

A brief recap: Cybersecurity, or information security is a large topic with many facets.

In this article, I would like to focus on the practice of outsourcing and the risks that it introduces. Many of us are aware of the benefits of outsourcing:

• Outsourcing can significantly reduce the operating and development expenses of a company.
• It’s also a great way to reuse someone else’s expertise without having to make an investment in your own staff or product.

However, in today’s environment where data breaches and associated liabilities are rampant, you need to be aware of the risks that come with outsourcing in order to mitigate that risk.

As with any risk management program, an organization needs to understand what is priority to be protected and what it’s relative worth is, in order to determine how best to protect it. Also, the legal frameworks which may add requirements for your jurisdiction (ie/ GDPR, PIPEDA, HIPAA/HITECH, etc), or your customers jurisdictions, need to be considered. Once this exercise is complete, we can move forward to determining risk and the value of the assets at risk. This discussion about priority and value of assets should be undertaken before any discussion is made to outsourcing companies, as it may add to or drive some of the requirements for the outsourcer.

In many cases, regulations such as the GDPR, PIPEDA, and HIPAA/HITECH provide guidance to understanding how best to protect and handle the information that end consumers entrust to us.

In the case for software outsourcing, the base contractual due diligence required (from a security perspective) is similar to those I’ve mentioned in the prior article Outsourcing part 1 of 2 - Services about service and product outsourcing. Please visit that article for more of that detail.

With software outsourcing, the contractual and legal issues still apply. The primary difference is the nature of the access being granted. Software Developers will, necessarily, need to develop algorithms and routines in order to provide proper functionality. They will also need access to test data, test systems, and in some cases, production data and systems in order to troubleshoot problems. This level of access requires an inordinate amount of trust and access, places the outsourced developer deep into the data security realm, which is not that different from a direct employee. Said another way, the developer will understand, and have access to the innermost workings of your software and consequently represents significant risk to the organization.

Outsourced development needs to have an appropriate level of in-house oversight to mitigate the potential risk posed by outsourced developers.

Threat vectors:

• Backdoor
• Denial of Service attacks
• Eavesdropping
• Privilege escalation
• Spoofing
• Tampering

Protections need to be put into place:

• Independent quality assurance
• Independent software auditors
• Independent Source Code Control with commit approval process
• Ring-fenced development and testing systems
• Anonymized data and a process to create anonymized data for testing

These issues I’ve mentioned can be complex, (and I’ve just scratched the surface here), but they can be managed by having a managed information security program, which will ensure that your security stance is defined, kept intact, and maintained - whether you are outsourcing or not.

As I mentioned in my first paragraph, cybersecurity is a large topic and a cybersecurity practitioner has to be invested and kept current. Organizations need to either have an in-house resource owning an information security program, or need to engage an outsourced cybersecurity resource. In the latter case, all of the above points still apply.

Do your diligence!