With the recession forcing companies to become more competitive outsourcing is going to grow in popularity, but at what cost to your company's security?
##CONTINUE##
Whether you are outsourcing development, services or maintenance, the bottom line is you are allowing others to create code and run services that your customers will perceive as coming from you - meaning that you are responsible for any functional problems or security breaches.
Outsourcing security
According to Gartner, more than 60% of companies do not do any security risk mitigation when outsourcing development. An example of a simple risk mitigation strategy would be to contractually require outsourced developers to adhere to best practices in secure coding. Allowing outside software developers into your shop and then not demanding that they produce secure code raises the white flag to any malicious or insecurely written code.
Of course it is not easy to guarantee that your programs and data will remain secure once you have allowed outside applications to run on your servers or integrated them into your web presence.
But there are practices you can adopt that will ensure, as much as possible, that you maintain control over the security of your company and customer information.
Managing outsourcing
So what should a responsible chief information security officer be doing?
1. The best time to enforce security at a service provider is before you sign the contract. Make sure you make specific and detailed requirements in the contract for what you will and will not accept.
2. Practice due diligence for code handling and access to resources. Specify the minimum amount of sensitive data that will be released to the supplier in order for the supplier to supply the required services.
3. Require coding standards and security requirements in every specification between you and the supplier.
4. Demand metric reports for security of the supplier's code that are repeatable and verifiable.
5. Require that all security requirements are met prior to the first time the code is executed in your environment with penalties for non-compliance.
6. Where possible, have a comprehensive code review process for every piece of code you allow onto your servers.
7. Require that code be vetted for security by the supplier using an automated source code analyser prior to being submitted to you.
8. Require a comprehensive review of possible vulnerabilities resulting from new external services operating in conjunction with your current services.
9. Require a report specifying security issues and measures taken to address them for every task and deliverable from the supplier.
10. Ensure that best practices for ensuring secure program execution are followed, eg, encryption keys are not passed in the data stream.
Through training, research, practices and software tools, you can achieve the best from outsourcing, permitting a productive and collaborative development environment as well as being able to maintain the integrity and security of your data environment.
-----------------------------
BY Rob Rachwald
Source:ComputerWeekly.com
Rob Rachwald is director of product development at Fortify Software.
© Reed Business Information Ltd.
Subscribe to:
Post Comments (Atom)
Posts
0 comments:
Post a Comment