The Dangers of Global Development
Good illustrations of such facilities are the technology parks that India has developed to aid software-exporting companies. Software Technology Parks of India (STPI), headquartered in New Delhi, is an umbrella organization with eleven facilities throughout the country. Each technology park provides for a software company's infrastructure needs by guaranteeing a supply of electricity, high-speed telecommunications links, and even hardware and network capabilities. STPI provides services for more than 450 companies. Software exports from these parks grew at an annual rate of 65 percent during the nineties. Each STPI houses multiple offshore development centers.
An ODC may be a dedicated facility for one client or it may produce software for multiple clients. Analysts working at the client company develop system requirements and specifications and then send them for coding by programmers at an ODC. The ODC is usually connected to the client's host system through leased lines, through a Virtual Private Network (VPN), or sometimes directly through the Internet. The link to the ODC creates several potential vulnerabilities for the client's system. Vulnerabilities include Trojans or viruses embedded in the software, unauthorized access by ODC personnel into parts of the client network, and intrusion of the client system by a hacker who has penetrated the ODC defenses.
At the same time that software development has become a global industry, there are growing incidents of cyber warfare. After the emergency landing of a U.S. surveillance plane on Hainan Island, Chinese and American hackers declared war on each other, attacking Websites in opposing countries. Such attacks increased from two or three incidents per day before the incident to 40 to 50 immediately following it. In October 2000, a wave of denial of service attacks and network penetrations has spread through the Middle East. Hackers attacked both the Israeli Defense Forces and the Foreign Ministry Websites. The Foreign Ministry site crashed and the Defense Forces shut down their website as a defensive measure. U.S. organizations that support Israel were also attacked.
US government and private security consultants warned that such attacks could spill over to other American companies. On September 11, 2001, the unthinkable happened to the physical security of our nation. Given our country's newly heightened security consciousness, there is greater attention to network security. Still, U.S. corporations are struggling to establish effective security practices within their own companies. When a company outsourced a software project in the past, it rarely examined the security practices of the offshore outsourcing company. Whether this will change in the future depends on education of the security community, consumers and producers of offshore software, and our political leaders.
There is resistance to examining the security of the outsourcing option because of the cost factor. One of the great attractions of offshore outsourcing is the comparative price advantage compared to on-site development. Improved security will add to costs and both clients and vendors may be tempted to cut corners, despite the recent upsurge in terrorism. Few analysts have examined the security implications of global software development. The topic deserves in depth research, analysis, and increased visibility.
The Dangers of Global Development
Risk analysis and determining appropriate counter-measures is necessary for all companies. However, the picture becomes much more complicated for a company that is using an offshore software development facility. There are several complicating factors:
Loss of control - By outsourcing, a client loses control over the conditions under which its software is developed. A link with an ODC opens a broadband communications channel directly into the client system. The company's security personnel lose the ability to regulate authentication of users at the ODC.
Network complexity - Network configuration management in an expanding and ever-changing environment is a challenge for most security departments. Maintaining an understanding of normal traffic patterns becomes almost impossible when an ODC is thrown into the mix. If the development center produces software for multiple clients and does not isolate the networks connected to each client's system, configuration management becomes an impossible task.
Clashing security policies and procedures - The client and the ODC may take varying approaches regarding known vulnerabilities, intrusion detection, perimeter defense, or other security issues. These discrepancies could easily create vulnerabilities for both the client and the offshore vendor.
Threats to a company's intellectual property - Offshore development creates risks to a company's intellectual property because trade secrets, customer data, and financial information are often made available to a foreign company whose employees are not subject to U.S. laws. The offshore developer or its employees may also be doing work for a competitor. A company's worst nightmare is losing their intellectual property when they go offshore since it would require international litigation, a process that could take years of effort while the damage is immediate.
Legal issues - As mentioned, different laws govern offshore vendors. The issue is not contract enforcement as much as data security because most vendors contracts are enforceable in U.S. courts. However, the laws applying to protection of data are often non-existent in the offshore country. Another legal complication is presented by the new U.S. data privacy laws such as Graham-Leach-Bliley that requires U.S. financial corporations to protect the data of their customers. Few measures are required to ensure that offshore development centers are abiding by these laws.
Loss of control over code
Loss of perimeter control
Lack of authentication controls
Network complexity - The challenge to configuration management
An ODC link often means that an unknown network is linked into the heart of the client computer system.An ODC connection bypasses much of the host perimeter defenses and opens multiple channels for hostile penetration of the host system. A developer in an ODC may conscientiously be doing his job. Still, while he is coding and testing he could also chatting on a website that would be off limits to an on-site programmer. An attacker could use the open http connection to the workstation to implant a Trojan in the host system or map the corporate network.
Isolation levels within the ODC
Lack of isolation of network resources is another critical issue. Sometimes hard-drives or servers are shared between projects for different clients. Even when resources are not directly shared, there are rarely perimeters established between LANs dedicated to different clients. In addition, depending on the configuration, it is possible for someone on a host network of one ODC client can use the development center as a means to connect to the network of another ODC client.
It is essential that the client ensures that their data and resources are isolated from that of other ODC clients. There are however different levels of isolation. Development for a project can take place on LANs that are completely isolated from the Internet and the rest of the ODC's networks with fully dedicated personnel. Alternatively, some resources can be shared between projects or even clients. Sharing of resources creates economies of scale and enables the vendor to pass on cost savings to the client. Applications are not all equally as critical and isolation does create additional costs. Therefore, the level of isolation of a project must be commensurate with its security requirements.
Security policies & procedures - Security reviews
Authority for offshore developers
Legal and intellectual property issues
It is essential for a company to analyze the risks that offshore relationships may pose to its intellectual property. The risks vary depending on the software application under development, the character of the relationship with the offshore vendor, and the nature of the corporation's intellectual property. Competitors can quickly use certain trade secrets, such as chemical formulae or industrial processes. Such information is critical to protect. Both client and vendor must employ the strictest security measures in software development projects that involve easily replicable trade secrets. Some projects relating to critical and easily replicated intellectual property ought not to be outsourced at all. Other intellectual property is not as easily stolen. For example, a trade process such as a financial planning methodology, takes a considerable time to master. Companies can develop appropriate steps to protect these processes from competitors. Security measures for offshore projects should fit the risks to a company's intellectual property.
In addition to trade secrets, customer data, and financial information are often exposed during a software development project. Customer data can easily be used for fraudulent purposes and the incident of international Internet credit card fraud is rising rapidly. In a tightly interconnected world financial system, information on the finances of large corporations can be used for insider trading and manipulation of stock prices. The employees of a foreign company are not subject to U.S. laws. Some countries such as India are aware of cyber crime and are beginning to take a few initial steps. However, the criminal justice systems of most Third World countries, lack the technical and legal framework to investigate and prosecute system break-ins or data theft.
Developing a knowledge transfer policy
The terrorists gained access through social engineering. They drove a sedan similar to that used by all Indian officials and wore the uniforms of high ranking security officials. When the guard challenged them they threatened him with the loss of his job and he let them pass. The next day CNN filmed the British Prime Minister entering the grounds of a castle where a European summit meeting was being held. The guards searched the Prime Ministers car for bombs the same as any other vehicle. There is a lesson in these two events that the IT security community must keep in mind. In cultures where there is a rigid hierarchy, those on the lower echelons are brought up to be subservient to those above them. This means that many people who work as data center guards are susceptible to intimidation and manipulation by intruders who wear the mantle of authority.
Another example is a TerraFirma employee who worked for one of India's leading technology companies. He repeatedly entered the facility by saying he had forgotten his pass. Within the ODC, he had complete access to computers and files, even on projects that he knew nothing about, including a secure project for British Gas that developed refinery software.
These two examples illustrate the weaknesses in physical security at some ODCs. While the scheduled security audits examine physical security, the real issue is how is security maintained when auditors are not on the scene.
A thorough review of the vendor's security policy. The policy must be address issues such as isolation of resources by client and security cooperation with the client.
A rigorous network vulnerability assessment of the offshore development center, including its ability to protect client intellectual property.
Evaluation of the application security development life cycle being used by the ODC. Application security must go far beyond password authentication and network firewalls. It must be built into the software application from the beginning.
Ongoing monitoring and reporting of the ODC's client anti-virus, intrusion detection, and perimeter protection systems.
However, the responsibility for secure outsourcing does not lie with the vendors alone. U.S. companies themselves must be ready to meet the challenges presented by global software development. In addition to holding their vendors accountable on the above issues, U.S. buyers of outsourced software (including the U.S. government) should:
Implement an independent review of their outsourcing security policy
Conduct security testing of newly developed systems. (This applies to systems developed in-house as well as overseas.)
Submit their own data centers to a security rating to evaluate where they stand compared to industry standards.