As more and more organizations are outsourcing software development functions to external companies, they also find themselves at the receiver’s end as far as security risks are concerned from areas like coding practices, infrastructure and operation.
Additional efforts and measures are required to tackle these new security risks. One of the best practices of ensuring secure outsourced software is to enhance a software development process with strict security guidelines and assessments.
Here, you can read a dozen of practices that organizations can follow when outsourcing software code development.
1. Define upfront what is meant by security, including the security environment in which the application is to be used and what other resources could be exposed by a security vulnerability, and include the definition in the contract put in place
2. Validate the security mechanisms to be used upfront and set requirements for their use
3. Ensure that the third party is using software coding best practices and that they are documented and validated
4. Demand proof of the level of training, skills and security awareness among the third party's development staff
5. Ensure that expectations are laid out in the service-level agreement, including milestones and deliverables
6. Define acceptance criteria for the security of applications delivered
7. Provide a list of the most critical flaws that are deemed unacceptable 
8. Mandate measures for certifying that code is secure, including the use of automated testing tools
9. Define steps required in the audit process and ensure that all code is audited and certified before payment is made
10. Ensure that the right to audit code and perform security checks is written into the contract
11. Define processes for remediation by the third party and ensure that responsibility for bearing the costs of remediation or legal liability, even after the application has been delivered, are written into the contract
12. Specify in the contract that security checks and monitoring will be continued throughout the lifecycle of that application and lay out the third party's responsibility for fixing flaws found at a later date.
Don't have time to visit the blog often? Let me send you outsourcing news, views, career tips, analysis, joke, humor, even bitching of the outsourcing world as they are publsihed in BPOTiger. You may subscribe here.
Comment Preview