Wednesday, September 2, 2009

Federal Government Enables Greater Security by Establishing Standard for Outsourced Code Development

Originating Page


A large civilian federal organization with over 12,000 employees and with over $15 billion in budget, was challenged with new security standards as it continued its current operations.

The challenge for this customer was ensuring the application-level security of an upgrade of a 250 million line application. Not only was the code size large but the application was developed externally by a third party provider and was scheduled to roll out in modules across a six month timeframe. Adding to the challenge was the fact that this upgrade was to follow a very recent and well-publicized exploit in another division of the organization increasing sensitivity around the overall security of any new application roll out.

Our customer was seeking a solution that would allow them to better evaluate the application prior to its deployment, thereby reducing risk and decreasing the likelihood of an unintended disclosure of information. The solution would be required to analyze an enormous amount of source code, and would also need to provide results that were meaningful to program managers, not just to security specialists and development personnel.

Due to the heightened sensitivity to security and unwanted data exposure in their environment, the customer had a very specific set of requirements. Their overall process is outlined below:

* Define what they meant by "security"
* Find language and criteria through which they could communicate that to their vendor
* Enable the ability to enforce the vendor's performance against these criteria.

This was not an easy task considering the size and complexity of this critical ERP application.


Using Ounce Labs' source code analysis tool, the customer was able to evaluate current vulnerablities within the code, prioritize the remediation efforts against the highest severity ones and meet their time frame for roll out.

Additionally, this code scan gave them a benchmark against which to establish a set of standards for secure code. Using the Ounce Labs' taxonomy for security vulnerabilities, contracts were written that specified unacceptable security conditions for delivery of the software and mandated regular testing by the vendor prior to software release. In the event that such vulnerabilities continued to exist at the time of delivery, the vendor developing the software would be penalized for their non-performance. If there were medium severity vulnerabilities, as discovered and defined by the Ounce product, the vendor would be fined 5% of monthly invoice until they were repaired. If high severity vulnerabilities existed, the vendor would receive no payment until those vulnerabilities were remediated.

It is possible to generate, negotiate, and enforce contracts that will create an environment with third-party providers that lead to much more secure applications at time of delivery. These contracts protect an organization against the unplanned costs of a breach, including clean-up, patching, and reputation damage. Incorporating cost-recovery within outsourced software development contracts more than justifies the additional management and resource expense associated with the new security requirements and their enforcement.