What protections can you place within an organization on code that is developed externally?

The following precautions can be placed within an organization on code that is developed externally-

  • The signing of a non-disclosure agreement (NDA) to claim ownership and protect intellectual property (trademarks and patents) which involve clauses for non-duplication, re-selling, re-branding, and risk acceptance. The contract must explicitly cover the approach to security and code quality, including specifications of penetration testing, the handling of security incidents, code testing, and an overlapping code review process so there are checks and balances on work.
  • Have a representative involved in every step of the SDLC as a critical stakeholder to ensure that the necessary security controls are in place
  • Be completely involved in the requirements gathering phases, and have every minute detail and security control documented
  • Have a thorough code review of the delivered packages to ensure there are no backdoors
  • Test compliance on the contractor’s servers without giving away critical authorization from the production environment
  • Review reports of every phase of the SDLC – especially the vulnerability maps, threat maps, and the penetration tests
  • Document at module level the functionality and the design of each class and function – this is crucial for troubleshooting, maintenance, patching, and upgrades
  • Change all hard-coded encryption key values, default passwords, and licensing hashes
  • If the design permits, breaking up the critical components and outsource the development to more than one company – so that no single contracted company has complete control of the entire project. This will, however, require a dedicated team to sew the pieces together and seamlessly integrate them, without leaving security loopholes