Hackers target outsourced app development
Who's got your code?
Many firms fail to think about security when they outsource application development.
Three in five (60 per cent) organisations overlook procedures to mandate security in software development outsourcing, according to a study by analysts Quocirca. One in five (20 per cent) fail to consider security even when building applications in-house.
Quocirca's figures come from a survey of 250 senior executives in the UK, US, and Germany. It found that outsourcing of code development is widespread, and growing in importance. More than 50 per cent of those organisations quizzed outsourced more than 40 per cent of their code development needs.
Hackers are increasingly targeting application rather than operating system vulnerabilities.
TS Ameritrade showed last year what such practises can do when it admitted that a backdoor created by an outsourced programmer was to blame for the loss of 6.3 million customers' details.
The report found that financial services companies are most likely to outsource their code development needs, with 72 per cent reporting that they outsource more than 40 per cent of this work. The majority (84 per cent) of these organisations said code development is either business critical or important.
Public sector organisations are also big outsourcers, with 55 per cent outsourcing more than 40 per cent of their code development.
By contrast, utilities rarely outsource such work - just seven per cent outsource more than eight percent of code development.
"Not enough is being done by organisations to build security into the applications on which their businesses rely," said Fran Howarth, principal analyst at Quocirca and author of the report. "Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organisations to thoroughly test all code generated for applications — without which they could be playing into the hands of hackers."
The survey also found that exposure to Web 2.0 technologies — among the least understood, but considered to be among the most insecure software development models — is high. It also found that data protection is the key driver behind application security for the majority of organisations polled. ®
Outsourcing can work...
You get what you pay for.
I have had excellent results working with designers who do a great job at designing UIs and websites. Of course, they have their office near me and speak my language and they do NOT have the cheapest hourly rate, but in the end the results and the time saved make them cheaper than any messing around with cheaper than dirt offshore labour.
Security is the least of your worries.
Yet another survey from the school of no-shit Sherlock.
In my humble experience you are far more at risk from losing the 33% of staff who know how your systems work. "For want of a nail" etc...
Being outsourced normally means that you have removed all the golden handcuffs that kept your best tech staff from leaving. The new employer generally has six months to get to work on sucking the brains dry of the key staff or coming up with reasons for them to stay.
IMHO 6 months is how long the outsourced will give the new employer to prove their quality as someone to work for. After that the employees (especially the best) will be dusting off their CVs and hitting the job sites. By the time Vlad from Elbonia shows up to takeover the (undocumented) legacy system for Soylent Green production, all those with knowledge of the system will have long since left the scene. The impact of that will be felt by the client.
On the client side I still don't understand how they expect to check the quality of the work delivered unless they retain a decent core of technical staff (which normally they don't). You can come up with lots of external measures that check that the "requirements" are met but you are not going to know for sure whether it is up to no good behind the scenes especially if you have outsourced your operations too.
Personally I think the best answer to the threat of outsourcing is to go contracting. Don't waste energy fighting it. The costs of outsourcing won't become properly evident for 4 to 5 years after the contract is signed. Management in most of UK is rewarded for the previous year's work.
All too true...
In close to two decades working on both sides of the outsourcing/offshoring suicide pact, the next project I see that comes in under 150% of budget OR 200% of schedule with 70% or more of requirements met with properly audited, documented code will be the first.
I believe it's possible - just not with the current set of providers or with the currently-fashionable customer priorities. Two real quotes get the point across: an outsourcing client was once heard to say "We will spare no expense to cut costs." They went out of business less than two years later. One outsourcing provider, when asked about the (truly execrable) quality of their documentation and business communication, replied, "We're paid to write Java, not English. We are having people here with excellent credentials to do our writings for us." We declined to retain them on any future projects; I wish I could say that they crashed and burned too, but P. T. Barnum might as well be technology and trade minister for Karnataka state.