Assessing the Outsourcers: Off-Shore Development

1. Assessing the Outsourcers: Off-Shore Development George G. McBride, CISSP RSA Conference 2004 San Francisco, CA

2. What is off-shore development? • The architecture, design, development, testing, or lifecycle maintenance of software and hardware products somewhere outside of your home country. • Typically includes countries such as: • India • Philippines • China • Ireland • This presentation will not concentrate on the help-desk or support type functions, but many thoughts and concerns also apply to these efforts.

3. What’s the big deal? • A couple of questions: • Are you setting up your own Offshore Development Center (ODC) or are you using an outside firm? • Do your business partners, consultancy firms, and other suppliers have a requirement to inform you of where the work is being done? • Do you have a requirement to tell your customers? • Are there legal requirements? • What is the difference between sending your work down the street or across the world?

4. The big deal is: • A significant amount of your product or Intellectual Property (IP) is now managed and controlled by a 3rd party. • Many companies feel they’ve “lost control” • Many have some implicit belief that because the firms are CMM Level 5, the ODC must have an equivalent level of security • Many assume everything is fine if they haven’t heard otherwise • Many believe any problems or issues are the responsibility of the ODC, usually because it hasn’t been thrown “over the fence” yet. • Geo-political issues begin to creep in and can affect productivity through time differences, travel restrictions, etc.

5. Contractual Issues • Ensure that the security organization coordinates all off-shoring activities with business units, purchasing, supply chain, etc. • Review RFIs, RFPs, etc and be part of the evaluation process • Ensure compliance with your organization’s security policy • Must balance business needs (saving money) with security • Include the right to audit / assess clause in detail including: • Frequency • On-site visits • Interviews • Network scans • Physical security reviews

6. Contractual Issues • Can previously conducted audits and assessments by the ODC be reviewed? • Their own internal security staff efforts • Contracted assessments and audits • Other clients results • SAS70 reviews • ISO17799 reviews • Have employees signed Intellectual Property agreements? • What about Non-Disclosure Agreements (NDA)s?

7. Connectivity Options - Limited • No direct network connectivity • Primarily used for “over the wall” and one-off development efforts, not partnerships • How are source code and design documents transferred? • Can e-mail and data transfer encryption be forced? • ODC can have connection to the Internet or could be completely isolated.

8. Connectivity Options – Leased Line • Some type of private line • Routing should be configured to force data and e-mail transfer to use the leased line • Need to restrict access to only the required systems • Both companies should have a firewall only allowing the required traffic • ODC Internet connection optional as Corporate network could be used for Internet access

9. Connectivity Options – ODC & ODC Corp • ODC or ODC Corp Network may have Internet connectivity • Question what traffic is allowed between ODC and ODC Corp Networks • Leased line and Internet connection may be to ODC Network or ODC Corporate Network • Again, the existence of a private leased line doesn’t guarantee it’s use

10. Connectivity Options – Source in DMZ • Can provide the best solution in terms of data and connectivity isolation • May require more effort in terms of network engineering • Implement IP address restrictions to allow connections from authorized entities only • You must have one-time passwords in use here. • VPN offers additional security

11. Connectivity – Remote Access ? • Watch senior ODC personnel, who may have contractor status at your company and may have unrestricted access into your corporate network. • Do you want personnel working from home? Most companies prohibit it, helping to prevent intellectual property leakage. • Does the company allow it? If so, how is logical network separation managed to ensure your IP is protected? What restrictions are there? • Do you require token / one time passwords to access source code? • In DMZ solutions, have you prevented a rogue employee from downloading the source code from their home using the same password used at work?

12. Connectivity Concerns • Are you providing inbound access to services on your network? • Are the ODC systems connecting to your network secure? • Are your systems secure? • Anti-virus updates • Patches and service packs • Are you protected against: • Worms and other mal-ware • A malicious user using Telnet or SSH to a system on your network and then using that as a launching point to gain complete access to the rest of your network.

13. Personnel Security • Are background checks performed on employees? • Are they performed on yours? • Each client’s personnel are generally physically separated while writing code. • Lunch? Personal Relationships? • What about personnel on the beach/bench? • Is there a mandatory period of time between client transfers? • What do personnel assigned to your account do between projects?

14. Physical Security • Some ODCs have electrified fences, armed guards, motion sensors, and video surveillance around the perimeter. • Other ODCs are in a shared facility with a door that locks when they remember to close it at night. • What level of physical protection do you provide to your intellectual property? • You’ll probably learn some things from the better ODC firms • Most ODCs will provide whatever level of physical protection that you specify. • That generally comes at a price.

15. Physical Security • What access controls are in place to protect your IP? • What logging and recording mechanisms are in place? • Who has access to the ODC? Do they have a list? • Staff in training • ODC security, cleaning, IT support, maintenance personnel • Can the ODC badges be customized for each of their customers? • Are bags checked upon exit? Would guards know what a USB drive looks like?

16. Application Security • Where is the IP (source code / design documents) stored? • Do you have real-time access to the source code? • What about source code reviews? • What have you contracted for to be performed by the ODC? • Logic and source code errors • Mal-ware • Transmission / version control issues • Increases with multiple site concurrent development

17. On-Site Reviews • What are the contractual obligations of the ODC vendor? • To what depth will you review? • Do you really want to do a “surprise” visit? • Be prepared to be asked to sign an NDA from the ODC. • They’ve got secrets to keep also. • Watch bringing electronics into some of the “Customs” and Economic zones. Some things must be declared prior to entry. • Cameras • Laptops, PDAs, etc.

18. The On-Site Review • Physical Security: • Perimeter and Building Security • Security specific to your ODC • Access controls and recording including access lists • Proprietary/Sensitive information destruction • Lab, storage, cubicles, offices review • Awareness posters • Password protected screen savers • Laptops physically protected • Visitor policy

19. On-Site Review • Personnel: • Short discussion to discuss coding procedures and adherence to your corporate coding policies • Employment documentation is organized, complete, and accurately maintained • NDAs and IP agreements signed and stored • What security training have they attended? • Ensure their understanding of what to do for security incidents • Spot check of employee records to verify that they’ve been supporting only your company

20. On-Site Review • Network Security • Agree on which machines will be scanned to avoid scanning their corporate or other customers machines • Perform a typical network vulnerability scan of machines in the ODC • Interview of system administrators, users, programmers • Since they are responsible for maintenance and security of the machines, I’d recommend providing detailed vulnerability and corrective actions to them • Sit down with the administrators to walk them through the vulnerabilities and corrective actions • Position your efforts as “educational” and “partnering”

21. On-Site Review • Make sure you read the contractual agreements between you and your ODC firms to understand what is expected of them and of you. • Have a basic understanding of the products and technologies that the ODC firm is working on. • Assume that the various firms have a pretty solid understanding of which other firms may be developing products for you. • Proposals they didn’t win. • Social circles • Partnerships, not hostility, promote a more secure environment.

22. Lucent Technologies Bell Labs Innovations George McBride Senior Manager IT Risk Management Lucent Technologies Inc. Room 2N-611G 101 Crawfords Corner Road Holmdel, NJ 07733 Phone: +1.732.949.3408 E-mail: gmcbride@lucent.com Questions? • Contact me at gmcbride@lucent.com with any questions that you may have or any thoughts or comments on this talk.