security and outsourcing
Friday, March 6th, 2009Chris Wysopal has a good article in securityfocus about security reviews of outsourced software. I must admit I agree with just about everything he said (that you need to do due dilligence on the code that was outsourced, just like you do for internally developed code). However, there is one factor missing from the article. The reason so much development is outsourced these days is because companies don’t want the hassle/cost/overhead associated with doing their own development. Security is included in that. If a company doesn’t want to go through the hassle of hiring their own developers and doing QC on their own code, what makes you think they’re willing to hire security experts to do QC on the code they outsource?
Although there are many solutions, including having a third party review built into the outsourcing contract, one obvious solution that comes to mind is having third party certifications, similar to the common criteria or DITSCAP.
