Beruflich Dokumente
Kultur Dokumente
Article
IT Analysis – How to ensure outsourced software development is
secure
By Fran Howarth, Principal Analyst, Quocirca Ltd
The fact that software applications can contain When outsourcing any business process to a
flaws is nothing new. But a recent survey by third party, it is essential that a good contract is
Quocirca of 250 organisations, commissioned by written and that a watertight service-level
Fortify Software, shows that not only are agreement is put in place. This is something that
businesses increasingly relying on bespoke or some regulations actually mandate when
modified software applications, which they see outsourcing application development. For
as critical for their business, but not enough of example, the FFIEC (Federal Financial
them are employing automated tools for testing Institutions Examination Council) implementation
those applications for security vulnerabilities. guide for GLBA (Gramm-Leach-Bliley Act) states
that organisations must establish a vendor
management programme that includes
Another practice that is increasingly being seen
"establishing security requirements, acceptance
is the outsourcing of code development to third
criteria, test plans, and reviewing and testing
parties. This can be a less costly option than
source code for security vulnerabilities." This
developing the code in-house, especially where a
may be a US regulation, but its impact is being
business does not have sufficient resources of its
felt by some European organisations as well, and
own. But when such an essential process is
there are a host of other regulations demanding
placed in the hands of a contractor, extra care
higher levels of security.
must be taken to ensure that secure coding
practices are used and that applications are
thoroughly tested. Technology vendor Ounce Labs has been
advising organisations since 2002 on how to
work with outsourcers to ensure that code is
Failure to thoroughly police the software
developed with security in mind and that the
development process has far reaching
appropriate testing tools are used. It has worked
consequences. If a hacker is able to exploit a
with lawyers to develop suitable contracts for
flaw in the software, they could use it to attack
organisations to use, which it makes available on
the application in order to steal sensitive
its website. According to Ounce Labs, the
personal or organisational information. In today's
following are some best practices that
increasingly regulated world, this is something
organisations should follow when outsourcing
that can cost organisations dear, not just in
software code development:
terms of the price tag for cleaning up after the
attack, but in lost business owing to the negative
publicity that is likely to ensue. Define upfront what is meant by security,
including the security environment in
which the application is to be used and
what other resources could be exposed
About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology
and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the
views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-
world practitioners with first hand experience of ITC delivery who continuously research and track the industry
and its real usage in the markets.
Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and
political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in
any implementation. This capability to uncover and report back on the end-user perceptions in the market enables
Quocirca to advise on the realities of technology adoption, not the promises.
Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC
has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s
mission is to help organisations improve their success rate in process enablement through better levels of
understanding and the adoption of the correct technologies at the correct time.
Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC
products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of
long term investment trends, providing invaluable information for the whole of the ITC community.
Quocirca works with global and local providers of ITC products and services to help them deliver on the promise
that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC,
Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist
firms.