Monday, March 17, 2008
Do outsourcing firms write secure code?
I was thinking about a comment made by Chenxi Wang of Forrester at our last OWASP meeting where she responded to the question of which Indian outsourcing firms provide secure code to their customers without them having to ask for it...
In the world of outsourcing, customers have way too much they need to specify. At some level, most IT executives haven't thought about why security is so expensive and still tend to think that security is something bolted on towards the end of the project. While we all know that doing things earlier in the lifecycle is much cheaper than later, our behavior towards security is still suboptimal and pretty much all of the outsourcing firms aren't doing much to help in this regard.
Should customers really have to specify that their code not be subject to the OWASP Top Ten or that it go through some form of static analysis for secure code reviews? When will customers or more importantly outsourcing firms start to think about secure coding as something one must do and not something customers need to specify?
Do customers have the need to specify that source code actually compile? Of course there are lots of horror stories where folks have received code from offshore that didn't but thats not the point. Maybe the challenge of writing secure code is that folks in India aren't necessarily trained to write secure code.
One intriguing observation is that there are a couple of individuals who work for Cognizant who are pretty bright and are OWASP chapter leaders in Chennai, Bangalore and Delhi who put on high quality user group meetings on a consistent basis, yet few folks in India attend.
The statistics that I heard from the last meeting in Chennai was that there are 60,000 IT professionals within one block of the meeting, yet less than 60 actually attended. If folks in India want outsourcing to thrive, then they step up their community participation...
| | View blog reactionsIn the world of outsourcing, customers have way too much they need to specify. At some level, most IT executives haven't thought about why security is so expensive and still tend to think that security is something bolted on towards the end of the project. While we all know that doing things earlier in the lifecycle is much cheaper than later, our behavior towards security is still suboptimal and pretty much all of the outsourcing firms aren't doing much to help in this regard.
Should customers really have to specify that their code not be subject to the OWASP Top Ten or that it go through some form of static analysis for secure code reviews? When will customers or more importantly outsourcing firms start to think about secure coding as something one must do and not something customers need to specify?
Do customers have the need to specify that source code actually compile? Of course there are lots of horror stories where folks have received code from offshore that didn't but thats not the point. Maybe the challenge of writing secure code is that folks in India aren't necessarily trained to write secure code.
One intriguing observation is that there are a couple of individuals who work for Cognizant who are pretty bright and are OWASP chapter leaders in Chennai, Bangalore and Delhi who put on high quality user group meetings on a consistent basis, yet few folks in India attend.
The statistics that I heard from the last meeting in Chennai was that there are 60,000 IT professionals within one block of the meeting, yet less than 60 actually attended. If folks in India want outsourcing to thrive, then they step up their community participation...