This post was originally submitted by Rohyt Belani and was lost in the site upgrade. Sorry.

Offshoring, a subset of outsourcing, convolutes security issues further.

Some commonly ignored aspects during the offshoring of application development:

• Which legal jurisdication can this contract be upheld in? if you are planning on sueing the development company in their country - good luck with that!
• Are security metrics clearly defined for the final product? These metrics should not only cover unintentionally introduced security flaws but also intentionally coded backdoors.
• What is the development company doing to protect my data/code? Don't be fooled by an ISO17799 audit report as a means of demonstrating due diligence.
• Enforce the need for basic security measures to be incorporated in the SDLC. This is hard; you may need a trusted security liaison.
• BE WILLING TO PAY FOR SECURITY! A lot of development companies understand the need for security but are hesitant to even include that optional line item in their proposal to address security; it goes against the basic cost advantage of offshoring
• Offshore developers should change their mindset and view security as a competitive advantage; now I'm getting philosophical and talking about attaining nirvana.

-- Rohyt Belani

In theory I would disagree, in practice I agree 10%. Most of the off-shore companies are like hosting was back in the 90's. Security was an after-thought at best. I do think driven by their customers that it's changing / changed.

So my question is (and this is pure project bait) why not create a project and write a guide on what to look for in an outsourcing partner?

A few items to consider with offshore companies:

You will need to keep control of your offshore company. You make the rules, specify the requirements and monitor it. Monitoring will take place by performing regular audits to ensure the company is compliant with your policies. This could be patch policies, anti-virus, complex passwords, how they handle and store data, they are not allowed to use wireless and so on.

Demand for network isolation, all staff at the offshore should be on an isolated network dedicated for your work. I recently did a site audit of a offshore company for my company and noticed they had network separation in place but they had 6 engineers in the room, 3 working for us and 3 working for another company… cables where all over the floor and it seemed to me there was a lot of chance for confusion and compromise if one engineer would hook up to the other network. Also, they did not lock the doors when leaving the office at night and so on. Demand a dedicated work area with proper network isolation and make sure the work area is secured at night.

Of course there is much more to look at but figured I would throw in a thing or two.

-steven