Can outsourcing software development and cybersecurity coexist?

Categories of Skills: 

Since industry experts continue to point out that the majority of security breaches stem from unintentional negligence of trusted insiders (employees, vendor-partners), you should take thoughtful steps to protect your information assets, and protect the productivity gains that you realize through outsourcing.

Assess your risk
Perform a risk assessment of your current systems portfolio: understand the potential exposure your company faces if a system fails or otherwise becomes corrupted.
Take the following steps when performing a risk assessment:
- Inventory what applications are, or will be, developed by the outsourcing partner.
- Define what potential risk each application poses (shipping disruption, impact to orders, etc.)
- Quantify the business and dollar impact.
Also, assess the security and infrastructure environment through which software development will flow: from design to production deployment.

Use best practices
Lean into current best practices and security standards will help you navigate around typical security flaws that are unintentionally engineered into systems (The OWASP Top 10 is an extremely useful reference.).
An example of best practice, is to avoid having admin rights that are too broad or too widely distributed.

Conduct penetration (pen) testing
Companies too often minimize the need for robust penetration testing.
It’s extremely important for you to perform effective penetration testing whether you outsource or develop software internally.
When talking about effective penetration testing, we don’t mean either white box, black box or grey box, but all of the above.
Industry standards provide a useful guide for your penetration testing plans:
- National Institute of Standards and Technology (NIST)
- Open Web Application Security Project (OWASP)
- Open Source Security Testing Methodology Manual (OSSTMM)
Since it requires a specialized knowledge and expertise to conduct a Pen Test according to these standards and guidelines, consider outsourcing your Pen Testing to a different company than the one(s) you use for outsourced software development.

Know your software outsourcing partner
Familiarize yourself with their training/certification programs, and even the attributes of their workplace, from a physical and cybersecurity perspective.
Ask what security policies are in place and how they are enforced, what protections are in place in their work environment (physical office security, software antivirus and malware protection, firewalls, etc.), does the company conform to standards such as ISO 27001?

Just because you use outsourcing as a way to deliver software, doesn’t mean you can abdicate your standards or lower them because a third party is in the mix. Outsourcing can be done successfully, just make sure you know who you are dealing with.