Seen above is real source code we got access to in a recent web application penetration test by exploiting security vulnerabilities caused by poor secure coding practice. While inspecting source code we found an interesting function called ‘antiHack’ which appears to do nothing but return the inputted data verbatim.
Organisations today, more so than ever, are being challenged to develop services that meet the needs of the modern digital consumer. For a lot of organisations, an essential component of doing business involves web applications and mobile applications.
As a result, the question of whether to outsource development or develop software in-house often arises. While there are many benefits to outsourced development such as cost reduction, the effect that outsourced development has on security is often overlooked.
Although outsourced development isn’t determinately less secure than in-house development, there are several common factors we have seen resulting in outsourced development negatively impacting security. We will discuss two of the main factors:
1. Conflicting security policies and procedures
Organisations spend significant resources to ensure the suitability and capability of individual candidates when it comes to hiring. This same effort is rarely expended when it comes to determining a suitable company to carry out outsourced development with regards to security.
Assumptions are often made that the vendor will develop ‘securely’. However, without investigation, the client and the vendor may have different definitions and notions of what ‘secure’ is and how ‘security’ can be achieved. These misunderstandings can result in vulnerabilities.
The recommended approach is to specify minimum security requirements, standards or frameworks to ensure the software developed is aligned with the organisational risk appetite.
2. Race to the bottom
Developing with secure code practices has an overhead. If developing with this overhead in mind has not been accounted for in provided quotes, and cost is a significant factor in vendor choice, non-functional aspects of the application (e.g. security) are likely to be ignored.
By being clear and unambiguous with security expectations, rather than inferences and assumptions, allows vendors to compete and be evaluated on a level playing field.
While outsourced development produces a host of opportunities for organisations, care should be taken to accurately assess the risks involved. Whilst the development activities themselves can be outsourced, however the burden of risk remains with the contracting organisation.