Discussion on outsourcing safety development management and control

A while ago, there was an article called 《 The worst outsourcing in history ！ cost 2 Billion time consuming 2 year , The website has not been delivered yet 》 The hot text of IT Circle the screen , The outsourcing project of Accenture, the world's top consulting company, to develop new websites and mobile applications for Hertz, an American car rental company, has fallen into disrepute , The latter had no choice but to appeal to the court , So that this amazing melon is exposed to the world , We noticed that , The project code has a serious security vulnerability with a wide range of impact , It also makes it difficult to put into use .

When it comes to security issues in outsourced development projects , I believe that students who have looked for outsourcing developers to develop projects can not be more familiar , There are many security vulnerabilities in outsourced development projects , And they often visit beyond their authority 、SQL Inject 、 Upload files 、 Code injection and other high-risk vulnerabilities , So today this article talks about the significance of outsourcing development 、 Security risks and solutions in outsourcing development .

The significance of outsourcing development

Outsourcing development is IT A subcategory of service outsourcing , The essence is still based on the enterprise and IT The principal-agent relationship between outsourcing service providers , After the former puts forward the development requirements and system design , The latter provides services for application or system development .

First , With the emphasis of enterprises on core competitiveness , More and more enterprises will IT Service outsourcing as a new long-term strategic cost management tool , Used to eliminate interfering branches that do not belong to the core business . Enterprises need to relocate , Cut off the shorter part of the value chain , Narrow the scope of business . On this basis , Various resources of the enterprise need to be reconfigured , Focus resources on the areas that best reflect the advantages of the enterprise , So as to better build competitive advantage , So as to obtain the ability of sustainable development , This is of great significance to the long-term development of the enterprise's core resources , Can be realized “ cost control ” and “ Management benefits ” Effective consideration of .

secondly , For some non core systems or applications , The cost of self-development is too high , Or for some products that need cutting-edge technology , The enterprise itself does not have mature development capability , Therefore, outsourcing development is the best choice to balance the cost and benefit .

also , The mobile Internet is booming 、 Under the tide of Internet entrepreneurship of the whole people , For those entrepreneurs who do not have the ability to develop themselves , If from 0 Building development capabilities requires too much investment , On the one hand, business urgency does not allow , On the other hand, even if it is invested, it is not necessarily better than professional outsourcing , So they chose to outsource the development .

Outsourcing development security risks

come from Foreign reports Show ,56% Of all corporate data breaches originate from third-party vendors ,42% Of enterprises have suffered data leakage due to attacks on third-party suppliers . Not long ago ,FaceBook It has also become the target of public criticism again because of third-party data leakage . therefore , To protect enterprise data security , Enterprises should not only resist the internal and external security threats they face , Third party risk management is also required （TPCRM）. What I'm talking about here TPCRM, Corresponding to the outsourcing development security risk management we discussed today .

Classification of outsourcing development modes

Briefly , Deploy the scenario according to the code 、 Collaboration mode , The current outsourcing development model can be divided into three categories , They are stationary 、 Remote and fully independent , There are great differences in the security risks they face in the development process or the coverage of Party A's security capabilities .

Stationary type

The outsourcing company arranges its employees to provide services at Party A's office through labor dispatch or temporary office , Enter Party A's product or development team , Under this mode, Party A has the highest degree of risk control , Because Party A's office must be followed at this time 、 Development 、 test 、 Release process specification , Whole CI/CD The process and environment of are controlled by Party A , At the same time, it is also within the coverage of Party A's safety capability , Relatively speaking , In this case, the safety risk is minimal .

Remote

Employees of outsourcing companies complete code development in their office environment 、 test , Then share the code through the public code warehouse or other online file system or storage system , Party A shall complete the code deployment and system operation and maintenance or merge it into its main code branch , Then Party A shall complete code deployment and system operation and maintenance , In this mode , Party A has a relatively high degree of risk control , Whole CI/CD The process and environment of are controlled by Party A , At the same time, it is also within the coverage of Party A's safety capability , But no matter how the contract stipulates the ownership of the code , The code will be contacted by outsourcing companies , And the code sharing path often needs to be opened to the Internet , This also leaves a hole for code leakage . Relatively speaking , If the outsourcing company has a mature security control process 、 Code sharing path for effective authentication and access control , In this case, the safety risk is small .

Completely independent

Outsourcing companies independently complete code development 、 test 、 Release , Whole CI/CD The process is under its control , Although the online operating environment is not necessarily controlled by the outsourcing company , Party A may only cooperate with the domain name pointing or brand resource use application , However, it can be seen that Party A's control over this risk is very weak , The security risk under this cooperation mode is often extremely high , Because Party A's security capability can hardly cover , Its mature release process must also be controlled to .

For the above three outsourcing development modes , Combined with the security risks of the industry or news disclosure , It can be divided into the following categories ：

List of risks

· Leakage of sensitive information ： The most common is that debug mode is not turned off 、 The source code zip package is placed in web root directory 、 Version control file .git/.svn Wait for the files to be placed in the root directory , Or the outsourcing developer uploads the source code to the third-party warehouse, or the personal computer is poisoned or invaded, resulting in Party A's source code 、 The data reveal that .

· High risk vulnerability high possibility ： Outsourced development usually uses open source development frameworks , Such frameworks are prone to vulnerabilities , It is easy to be used in batches , And there are often high-risk vulnerabilities , Common examples include downloading arbitrary files from the server 、SQL Inject 、 Client component exposure and sensitive information disclosure vulnerabilities , You can pull the database information or invade the server . in addition , Developer code architecture 、 General quality , More vulnerable to vulnerabilities , Or there is omission in the restriction of user controllable input .

· Sensitive information theft ： In the past, bank outsourcing developers have illegally collected user information or Party A's business data .

· Bury in the back door ： Outsourcing developers deliberately leave logical backdoors, etc

· The universality of vulnerability distribution ： Due to the code reuse of the outsourcing team , Once a vulnerability occurs in an outsourced system , It is very likely that the same or similar vulnerabilities can be found in other systems developed by it , in addition , Once the outsourcing developer is hacked , Its customer source code 、 Data can also be leaked .

Cause analysis

· The outsourcing company has a low level of safety management 、 Insufficient safety operation and maintenance capacity , For the completely independent outsourcing development mode, it is very easy to have security vulnerabilities

· Employees of outsourcing companies lack safety skills and safety awareness , The outsourcing company may not pay much attention to the employee's own capacity-building , It also deprives its employees of the opportunity to improve their safety awareness and skills

· Template development mode , In other words, copy and paste development , The degree of customized componentization is often not high , Code security quality is not guaranteed

Outsourcing development security risk management

Let's start with the organizational structure 、 Process control and technology empowerment are three aspects of outsourcing development security risk management , Most of them are already in large and medium-sized enterprises in China IT The enterprise has more or less landed .

Organizational level

· Determine the objectives of outsourcing management , Define the general principles of outsourcing , Establish an IT outsourcing security prevention and control framework at the enterprise level , Improve the outsourcing management organization system and system , This is more suitable for large-scale finance 、 signal communication 、 manufacture 、 Enterprises in Internet and other industries , There are many outsourcing projects 、 There are also many outsourcing developers , Attention should be paid to the organizational structure of the company . Like planning 、 Build an independent outsourcing management team , Let the development of top-down outsourcing project management process gain the organizational foundation .

Process level

· Contractual constraints Whether there are safety requirements in the contract with outsourcing developers ？ Do these outsourcing developers need standards to follow the secure development lifecycle ？ Have they been trained in the system development lifecycle and how to code safely ？ Whether the outsourcing developer is responsible for the loopholes in the code and the disclosure of sensitive information ？ Whether emergency response is required once the vulnerability is found to be exploited ？ If these requirements are not specified in the contract , that , These clauses should be added to future contracts , also , Existing contracts should be amended to cover these terms .

· Manage by outsourcing type , For different types of outsourcing , Establish and include safety qualification 、 The whole life cycle management mechanism including safety management and safety operation and maintenance capability evaluation , And outsourcing security management effect measurement mechanism . The main considerations are as follows ：

o Information security management qualification evaluation [BSI Safety certification audit 、ISO27001 authentication ]

o security management （ Completeness of system process 、 Information security control 、 Safety awareness education 、 Risk control ability ）

o Safety operation and maintenance （ Security coding specification 、 Safety emergency response process 、 Access control ）

o confirm 、 Review partner's network security policy 、 technology , And relevant practices and cases

Establishment of daily activity specifications ： Service change control ; Service personnel management ; Security event handling ; Business continuity management .

Information security control content

Minimum standards

Inspection method

--

1． There are confidentiality measures for source code and other sensitive information , Including information access authorization approval 、 preservation 、 Destruction and other management processes .

The company provides relevant systems and implementation records with seals

--

2. There has been no information leakage in the past three years .

The company shall provide the seal 、 Public information retrieval

--

3. Sign confidentiality agreements with employees , And the confidentiality responsibility will not be relieved due to the employee's resignation .

Company agreement template and execution record

· Follow the unified bidding process , By being more transparent 、 The unified access process enables developers who pay more attention to safety and quality to obtain fair opportunities .

· Confirm the data that the third party can access / System ; Confirm the information shared by the enterprise and the third party 、 Assets situation ;

The project is outsourcing the coding and testing of non important information systems , All production data can only be used to develop test environment after desensitization , Outsourcers have no access to sensitive information . avoid IT Service personnel have access to the core system information of the organization , To reduce the IT Service outsourcing is beneficial to IT Security risks caused by sensitive parts of the system .

Technical level

· Set up a continuous partner network security monitoring baseline

Continuous supervision throughout the cooperation life cycle 、 Continuous verification , For example, strengthen the monitoring and analysis of business exceptions

· Strengthen the security awareness and skill training of outsourcing developers

For example, outsourcing personnel must participate in safety training and examination , Development can only be carried out after reaching the standard , Take the code vulnerability rate as an element of project completion evaluation , The security coding specification can refer to OWASP Security coding guide

· Improve and refine safety test methods 、 The test case , Carry out strict safety test before putting into production , Conduct periodic test after going online , More specific measures are ：

o Pre launch safety self inspection ： self-examination checklist

o Pre launch vulnerability scanning and security audit ： Here we need to distinguish the environment , If the code tests 、 The operation environment is in Party A , It can be accessed to Party A's vulnerability scanning system for automatic scanning , otherwise , If the developer has the conditions, he can scan the vulnerability by himself , Party A's security capability can also be covered by authorization , At the same time, the test environment is provided 、 Source code , Provide software design documents and use guides , Conduct code audit for Party A's security team , Audit whether there are security holes or backdoors 、 Hidden channels and other malicious code . Of course , Safety audit needs to consider labor cost , If Party A can provide automatic audit means , You can override each change release , Otherwise, the control force is to update the large version

o Perform security audit on outsourced code , Especially login 、 Transfer and other important business scenarios need to be audited

· Code release and system launch process control

It is classified according to whether the server environment is controllable by Party A , If controllable, the business change shall be operated by Party A , Include ： Test environment test 、 Published online , Otherwise, there must be an examination and approval mechanism , Outsourced or jointly developed Web It is suggested to deploy the application within the coverage of Party A's security capability , If it fails to be overwritten by default, you can apply for coverage through authorization

· Access control （ System management 、 The data access 、 Environmental change ）

Do not open system management permission ; Do not open change permission , If change permission must be opened , In case of actual change, the acceptance and record shall be made with reference to the change acceptance standard issued by Party A

· Audit mechanism

Access logs to the application system or host 、 Keep operation records , Through automation or periodicity review To conduct the audit

Reference material

On the information security risks in the outsourcing development of mobile financial services

Financial enterprises outsource security management

hotel industry IT Security risks of system outsourcing （ From the perspective of Huazhu data leakage ）

How to do a good job of outsourcing project acceptance