Security is the most crucial element of the development cycle, especially when it comes to IT outsourcing. When you sign a contract with an outsourcer, you must ensure that the partner will protect your data and product. The task of the development company is to guarantee you a decent level of infrastructure, process, and code security. Below we will discuss each point in more detail and tell you how the team should act in this or that case.
Outsourcing development security: 3 key areas
IT Infrastructure Security
In general, IT infrastructure refers to a set of interrelated elements for organizing and managing the information environment. These components are used for corporate interaction and service delivery at the tech-company level.
What components such infrastructure consists of:
- hardware: the physical part (servers, PCs, routers);
- software: apps for internal company purposes and services (OS, CMS, CRM, web servers, corporate mail);
- network: hardware and software elements that are responsible for the functioning and protection of the network (switches, routers, firewalls, servers).
These components must be stable and protected against possible risks. The greater the number of infrastructure components, the higher the probability of problems. So, if intruders attack part of the outsourcer company's system, it will affect the rest of the components and the development of your product too.
What are the risks to a tech company's infrastructure:
- Phishing – unauthorized data acquisition can be used to get into the system.
- Digital ransomware – encrypting data (or locking the device) and then demanding a ransom;
- DDoS(Distributed Denial of Service) – deliberately overloading the system by making multiple requests from multiple hosts.
- Physical intrusion – fraudulent manipulation of equipment due to its theft or break-in.
The intrusion of attackers into the outsourcer's digital space is fraught with technical failures and leaks of data related to your business and project. Do not rush to conclude a contract until you know your future partner can prevent such attacks. At the consultation stage, ask the manager to familiarize you with the current protection measures.
What questions you can (and should) ask the outsourcer:
- Are all systems and data (including client data) backed up?
- How often is the security of all components tested and scanned for vulnerabilities?
- Is the code for the product being developed checked for security compliance?
- Is sensitive data encrypted to prevent fraudulent access?
- How strictly is employee access to customer data (authentication, authorization, user roles, etc.) controlled?
These are basic rules that any company that respects itself and its customers must follow. Otherwise, the infrastructure (and, with it, your data) will be a target for attackers. But don't forget the other risks associated with internal processes.
Most cloud providers (AWS, GCloud, Microsoft Azure) offer a solution to most infrastructure hardware security problems. The rest are solved with the help of appropriate software and good professional configuration.
At Moqod, we try to make the most of the power of AWS for creating automated backups, data encryption, logging, DoS and Brute Force protection, user permissions, and role management. The rest of the challenges are handled well by automatic code analyzers and software vulnerability checkers.
Processes SecurityInformation security largely depends on the company's personnel. Before you start working with an outsourcer, ask whether employees are familiar with the nuances of security. Remember that the cause of severe data breaches is often related to social engineering. It all starts with an "attack on the person," that is, with psychological manipulation.
Keep in mind that all members of the IT team (developers, QA, managers, and business analysts) will have access to your data in one way or another. This is a necessity for working on a project. And that leaves the risk of unauthorized access through employee devices. Your job is to determine from an outsourcer whether the company has information security requirements for employees. If so, what are they?
What IS (Information Security)requirements the staff must follow:
- updating the OS to the latest version, which guarantees the absence of bugs and vulnerabilities;
- prohibiting the installation of unlicensed solutions because hacked and pirated software increases the risk of infection by viruses;
- conversion of the data on the disk into unreadable code to prevent unauthorized users from accessing it;
- secure login (strong passwords, two-factor authentication) to minimize the risks of account hacking;
- use of antivirus and firewall as measures to prevent potential external threats;
- improved home network security for personnel who work remotely.
Company employees should take responsibility for data-related processes, including their corporate accounts. It can be exactly the weak point that a fraudster uses to break into the system. Such a case occurred recently with LastPass, a top password manager with an audience of over 30 million people.
Bloomberg reports that hackers broke into one developer's account. As a result, part of the source code and some technical information were stolen. The company said the incident affected the development environment, and user information remains protected. It is possible thanks to the Zero Knowledge model. Only the client has access to the decryption of their data, which is contained in the repository.
In this situation, a robust industry architecture with a private master password played an important role. Although attackers could not access the passwords, they could obtain the source code. That's the developers' mistake. What if a working laptop had been stolen? Even encrypting the disk would not guarantee that the information would remain intact. Not surprisingly, many companies create another rule for employees: no taking equipment out of the office.
In general, the security of the entire product depends on the professionalism and responsibility of the specialists dealing with the code.
To prevent possible security issues in terms of processes, we follow and comply with the security principles set out in the ISO 27001 standard. For example, Moqod's developers do not have access to the customers' production data, limiting only to the test data or specially prepared data sets that are anonymized and matched as closely as possible with the production version. The mandatory encryption of work computers and incident management are also essential. Both can prevent data leaks in the early stages when work equipment is lost or stolen
The foundations of security are laid during the planning, development, and deployment phases. Let's say you've turned to an outsourcer to create a web app. Find out how the work on the project will be structured. What approach (Agile, Waterfall) and DevOps practices do the team choose? Is there a person responsible for IS? What metrics are used to identify potential risks? And finally, is the code checked for security? The last question requires special attention.
What code analyzers can the developer use:
- static – searching for errors in the source code without the actual execution of the program being checked;
- dynamic – analysis of the ready code during the real execution of the program (as a rule, web apps);
- integrated to CI – scanning applied to static and dynamic code;
- pentesting tools – checking for vulnerabilities by simulating attacker activity.
These are the primary technical means by which IT teams determine the likelihood that code can become a target for a hacker.
At Moqod, we follow all of the above practices for writing and preparing code for deployment. We noticed that following automatic code analyzers, mandatory code reviews, and dependency checks for vulnerabilities allow us to most effectively prepare the product for subsequent penetration tests and deliver safe products to our clients.
Application Security Testing
Often, third-party experts are involved in the testing, ensuring the analysis's objectivity. Thus, testing is an important stage of the crash test of a product. According to our observations, apps developed in a 100% secure environment successfully pass the tests.
Studying issues related to development and testing will give you an idea of how a company takes care of security at every stage of the lifecycle. A responsible professional will never release into production a product that has not passed the robustness test and has even minimal flaws in the code. After all, according to statistics, 72% of web app vulnerabilities are due to code bugs.
Your project is at risk if the developer doesn't secure the infrastructure, processes, and code. Ask the outsourcer for all the security standards the team follows. Make sure your project will be in good hands before deciding to partner.