Assessing the Outsourcers: Off-Shore DevelopmentAssessing the Outsourcers: Off-Shore Development

George G. McBride, CISSP

RSA Conference 2004 San Francisco, CA

George G. McBride, CISSP

RSA Conference 2004 San Francisco, CA

What is off-shore development?

The architecture, design, development, testing, or lifecycle maintenance of software and hardware products somewhere outside of your home country.— Typically includes countries such as:

• India

• Philippines

• China

• Ireland

This presentation will not concentrate on the help-desk or support type functions, but many thoughts and concerns also apply to these efforts.

What’s the big deal?

A couple of questions:— Are you setting up your own Offshore Development Center (ODC)

or are you using an outside firm?

— Do your business partners, consultancy firms, and other suppliers have a requirement to inform you of where the work is being done?

• Do you have a requirement to tell your customers?

• Are there legal requirements?

— What is the difference between sending your work down the street or across the world?

The big deal is:

A significant amount of your product or Intellectual Property (IP) is now managed and controlled by a 3rd party.— Many companies feel they’ve “lost control”

— Many have some implicit belief that because the firms are CMM Level 5, the ODC must have an equivalent level of security

— Many assume everything is fine if they haven’t heard otherwise

— Many believe any problems or issues are the responsibility of the ODC, usually because it hasn’t been thrown “over the fence” yet.

— Geo-political issues begin to creep in and can affect productivity through time differences, travel restrictions, etc.

Contractual Issues

Ensure that the security organization coordinates all off-shoring activities with business units, purchasing, supply chain, etc.— Review RFIs, RFPs, etc and be part of the evaluation process

— Ensure compliance with your organization’s security policy

• Must balance business needs (saving money) with security

— Include the right to audit / assess clause in detail including:

• Frequency

• On-site visits

• Interviews

• Network scans

• Physical security reviews

Contractual Issues

Can previously conducted audits and assessments by the ODC be reviewed?— Their own internal security staff efforts

— Contracted assessments and audits

— Other clients results

— SAS70 reviews

— ISO17799 reviews

Have employees signed Intellectual Property agreements?

What about Non-Disclosure Agreements (NDA)s?

Connectivity Options - Limited

No direct network connectivity

Primarily used for “over the wall” and one-off development efforts, not partnerships

How are source code and design documents transferred?

Can e-mail and data transfer encryption be forced?

ODC can have connection to the Internet or could be completely isolated.

Corporate Network ODC Network

Internet

Firewall Firewall

Connectivity Options – Leased Line

Some type of private line

Routing should be configured to force data and e-mail transfer to use the leased line

Need to restrict access to only the required systems

Both companies should have a firewall only allowing the required traffic

ODC Internet connection optional as Corporate network could be used for Internet access

Corporate Network ODC Network

Internet

Leased Line

Firewall Firewall

Firewall Firewall

Connectivity Options – ODC & ODC Corp

ODC or ODC Corp Network may have Internet connectivity

Question what traffic is allowed between ODC and ODC Corp Networks

Leased line and Internet connection may be to ODC Network or ODC Corporate Network

Again, the existence of a private leased line doesn’t guarantee it’s use

Corporate Network ODC Network

Internet

Leased Line

Firewall Firewall

Firewall Firewall

ODC CorporateNetwork

Firewall

Connectivity Options – Source in DMZ

Corporate Network ODC Network

Internet

Firewall Firewall

FirewallSource Code

Servers In DMZ

Can provide the best solution in terms of data and connectivity isolation

May require more effort in terms of network engineering

Implement IP address restrictions to allow connections from authorized entities only

You must have one-time passwords in use here.

VPN offers additional security

Connectivity – Remote Access ?

Watch senior ODC personnel, who may have contractor status at your company and may have unrestricted access into your corporate network.

Do you want personnel working from home? Most companies prohibit it, helping to prevent intellectual property leakage.— Does the company allow it? If so, how is logical network separation

managed to ensure your IP is protected? What restrictions are there?

— Do you require token / one time passwords to access source code?

In DMZ solutions, have you prevented a rogue employee from downloading the source code from their home using the same password used at work?

Connectivity Concerns

Are you providing inbound access to services on your network?— Are the ODC systems connecting to your network secure?

— Are your systems secure?

• Anti-virus updates

• Patches and service packs

— Are you protected against:

• Worms and other mal-ware

• A malicious user using Telnet or SSH to a system on your network and then using that as a launching point to gain complete access to the rest of your network.

Personnel Security

Are background checks performed on employees?— Are they performed on yours?

Each client’s personnel are generally physically separated while writing code.— Lunch? Personal Relationships?

What about personnel on the beach/bench?— Is there a mandatory period of time between client transfers?

— What do personnel assigned to your account do between projects?

Physical Security

Some ODCs have electrified fences, armed guards, motion sensors, and video surveillance around the perimeter.— Other ODCs are in a shared facility with a door that locks when

they remember to close it at night.

What level of physical protection do you provide to your intellectual property?— You’ll probably learn some things from the better ODC firms

Most ODCs will provide whatever level of physical protection that you specify.— That generally comes at a price.

Physical Security

What access controls are in place to protect your IP?

What logging and recording mechanisms are in place?

Who has access to the ODC? Do they have a list?— Staff in training

— ODC security, cleaning, IT support, maintenance personnel

Can the ODC badges be customized for each of their customers?

Are bags checked upon exit? Would guards know what a USB drive looks like?

Application Security

Where is the IP (source code / design documents) stored?— Do you have real-time access to the source code?

What about source code reviews?— What have you contracted for to be performed by the ODC?

— Logic and source code errors

— Mal-ware

— Transmission / version control issues

• Increases with multiple site concurrent development

On-Site Reviews

What are the contractual obligations of the ODC vendor?

To what depth will you review?

Do you really want to do a “surprise” visit?

Be prepared to be asked to sign an NDA from the ODC.— They’ve got secrets to keep also.

Watch bringing electronics into some of the “Customs” and Economic zones. Some things must be declared prior to entry.— Cameras

— Laptops, PDAs, etc.

The On-Site Review

Physical Security:— Perimeter and Building Security

— Security specific to your ODC

— Access controls and recording including access lists

— Proprietary/Sensitive information destruction

— Lab, storage, cubicles, offices review

— Awareness posters

— Password protected screen savers

— Laptops physically protected

— Visitor policy

On-Site Review

Personnel:— Short discussion to discuss coding procedures and adherence to

your corporate coding policies

— Employment documentation is organized, complete, and accurately maintained

— NDAs and IP agreements signed and stored

— What security training have they attended?

— Ensure their understanding of what to do for security incidents

— Spot check of employee records to verify that they’ve been supporting only your company

On-Site Review

Network Security— Agree on which machines will be scanned to avoid scanning their

corporate or other customers machines

— Perform a typical network vulnerability scan of machines in the ODC

— Interview of system administrators, users, programmers

— Since they are responsible for maintenance and security of the machines, I’d recommend providing detailed vulnerability and corrective actions to them

— Sit down with the administrators to walk them through the vulnerabilities and corrective actions

— Position your efforts as “educational” and “partnering”

On-Site Review

Make sure you read the contractual agreements between you and your ODC firms to understand what is expected of them and of you.

Have a basic understanding of the products and technologies that the ODC firm is working on.

Assume that the various firms have a pretty solid understanding of which other firms may be developing products for you.— Proposals they didn’t win.

— Social circles

Partnerships, not hostility, promote a more secure environment.

Questions?

Contact me at gmcbride@lucent.com with any questions that you may have or any thoughts or comments on this talk.

Lucent TechnologiesBell Labs Innovations

Lucent Technologies Inc.Room 2N-611G101 Crawfords Corner RoadHolmdel, NJ 07733Phone: +1.732.949.3408E-mail: gmcbride@lucent.com

George McBrideSenior Manager

IT Risk Management