You Can’t Outsource Accountability
Needless to say, Indian service providers pioneered and developed the outsourced software development space; currently, they generate a combined $3.2 billion of revenue annually. Although Indian software service providers claim high standards, it is apparent that there are still weaknesses in their delivery. I just published a report that highlights the main culprits for this: a lack of executive commitment, poor application coding, and the industrialization of software development:
- Poor application coding persists despite lessons learned. The security vulnerabilities are hardly obscure: More than two-thirds of applications have cross-site scripting vulnerabilities, nearly half fail to validate input strings thoroughly, and nearly one-third can fall foul of SQL injection. Security professionals and software engineers have known about these types of flaws for years, but they continue to show up repeatedly in new software code.
- A lack of executive commitment within outsourcing firms leads to poor security. Although most of the service firms’ executive leadership teams mean well, few appear to grasp the true potential for security breaches at their customers, the implications of those breaches, and the part that the outsourced partner must play in preventing them.
- The industrialization of software development expands the attack surface. Development on an industrial scale can put clients at significant risk. In some cases, offshore development centers serve multiple clients but lack effective network segmentation.
To make matters worse, vaguely worded security requirements in outsourcing contracts and cultural differences introduce additional risks to the outsourcing process.
The traditional outsourcing model, which is architected primarily to reduce cost, is too narrow to accommodate expanding security, risk management, and compliance requirements. Recognizing that control requirements are weak in the current process, organizations should start re-engineering their outsourcing model to limit risk when sending work offshore. Based on our analysis, Forrester concludes that firms should:
- Ensure that security is the core design principle.
- Specify minimum levels of acceptability before signing any contract.
- Once the signature is in place, govern, scrutinize, and monitor to maintain quality.
Forrester recommends that security and risk leaders — those who have outsourced or are planning to do so — provide clear, comprehensive, and specific security requirements and back them up with a sound governance and quality plan. To read the full analysis, download my research report, titled “Improving Security With Your Indian Software Service Provider.”