One of the common pitfalls of outsourcing software development is not clearly defining and communicating the business’s security requirements to the supplier, a panel of security experts have warned.
“If you outsource then don’t tell the development partner what data the application will be processing, they just don’t know anything different. The contractor will develop the application as required and nothing else,” said Gunter Bitz, head of product security governance at SAP, speaking at the RSA security conference in London yesterday.
Penny Lane, chief information security specialist at Visa, whose background includes a position as senior cryptologic mathematician at the US Department of Defense (DoD), agreed.
“The biggest thing to take into account is to never assume anything,” she said. “For example, if they [the suppliers] advertise that its service is used by the DoD, or DoD-blessed, forget it. It does not mean it is secure.”
As well as defining the initial security requirements, Lane also believed that ongoing requirements are also important, throughout the software’s entire lifecycle.
“Say, for example, with software for a [fixed-term] marketing campaign – there should be specific guidelines for what is going to happen when the software reaches end of life, how it is going to go away.”
In order to manage the software lifecycle, Lane said that it would be a good idea to keep a high quality, up-to-date inventory of outsourced development, with details such as who contracts are.
“It’s very important from a security perspective,” she said.
Lane also warned about increasing security of web-based administration websites.
“Watch out for QA [quality assurance] sites on the internet. If there’s an administration website open over the internet it’s just asking to be hacked. They need to have at least IP filtering. Make sure they go away when production goes away,” she said.
Meanwhile, John Sapp, director of product development standards – security, risk and compliance, at medical software company McKesson Corporation, said that in the health sector, security issues are often related to legacy applications.
“Generally, security is not a consideration for software developers. Also, risks can be inherited from web-enabling legacy applications,” he said.
Sapp also recommending making security requirements part of the software development outsourcing agreement.
“We [McKesson] are starting to contractually require suppliers to have a foundation security standard. I would suggest that with any contract, ensure you have security as part of your acceptance criteria. If it does not meet our standards, we just won’t accept it,” he said.