Holding Outsourcers Accountable

In tight economies — like the current one — many organizations save money by seeking new ways to cut costs. For organizations whose business operations rely on custom software development, saving money often means outsourcing some or all of their development. But smart organizations know that while outsourcing can cut costs, if it also cuts security it will ultimately fail.

Organizations that recognize the need to maintain security while cutting costs know that outsourcing requires a set of metrics and requirements different from those used with traditional, in-house development to ensure that the product being delivered is to spec and that the SDLC is secure. In short: outsourcers must be held accountable.

Communication Leads to Accountability
There are two broad categories of risk in outsourced software development: that the product delivered isn’t to spec and that it contains security vulnerabilities.

Jack Danahy, Ounce Labs’ founder and chief technology officer, recently recorded a pair of podcasts on outsourcing security and accountability. In them, he emphasizes communication and process as the primary means to ensure that all parties in an outsourcing engagement work effectively and are satisfied with the outcome.

In the first podcast Danahy stresses the need for the contracting organization to clearly communicate their needs, requirements, and expectations. In the absence of clear definitions, assumptions may guide the project off track. He recommends the creation of a shared lexicon to ensure consistency of terminology, delivery, and reporting.

With a common way to speak about the project and a clear definition of expectations, schedules can be maintained, deliverables won’t include surprises, and outsourcers can produce better work.

Integrating Source Code Analysis
Danahy addresses the second category of risk – security vulnerabilities – in both podcasts, including one with eBizQ’s Peter Schoof, and recommends the use of tools such as the source code analysis suite offered by Ounce Labs to ensure the security of outsourced code.

While clear communication can specify application security requirements to the outsourcer, source code analysis can ensure that the code produced by the outsourcer meets the contracting company’s security standards. Since Ounce integrates with all major IDEs, the analysis and changes can be sent directly to developer desktops for modification.

Ounce Labs helps both contracting companies and outsourcers develop processes that integrate source code analysis to deliver high quality, secure software. Along with delivering better code, these processes ensure satisfaction with the process and product and make operations on all sides of the relationship more efficient.

Contact Ounce Labs today to learn more about how to create greater quality, efficiency, and security by holding outsourcers accountable.