How To Make Sure Your Offshore Development Team Is Secure
With the rise of a more geographically distributed work force, security is becoming more complex. In this post we take a look at a paper presented by The SANS Institute Reading Room, and how Augment helps mitigate those security risks.
Software development is becoming an increasingly geographical distributed process, especially here in the US. No more do we have the entire development staff working under one roof or even geographical location. Cost cutting, work from home options and business travel have contributed to the workforce being more globally distributed.
From a network security and risks standpoint distributed workforces have made the task of security more challenging. With more and more companies depending on an offshore partner the challenges are more complex.
At Augment we often get asked about what type of security and policies we have in place with our office in Coimbatore, India. It’s a great question and one that everyone should ask their offshore partners, even if it’s just one person working from home in India.
The Security Challenges of Offshore Development, from The SANS Institute Reading Room dives into some of the security issues of offshoring software development.
This paper presents a scary outlook of using offshore development teams for your software development projects. But keep in mind there is a whole host of security issues lurking in your local office as well. Also, some of the challenges presented in the paper apply to remote developers working here in the US as well.
Let’s look into some of the risks presented in the paper and then look at Augment’s approach to mitigating those risks.
Loss of Control:
The main issue presented in the paper is the lack of control on the development process because it’s taking place at an offshore development center. This risk is indeed very real and affects the quality of the code that is produced.
So how do we mitigate this risk?
- Development Standards: At Augment this risk is usually mitigated by the use of development standards imposed on not just the offshore team but also on the onshore team. Everyone working with the same set of standards helps to ensure code and the project is executed as prescribed.
- Review of the code: We also recommend a peer-to-peer review of the code written by offshore and onshore developers. This process might add to the development time (maybe around 5-10%) but ensures a standard set of code and eliminates most of the Loss of Control risk.
In order to explain this a bit further let’s look at a real life example. Augment has a team of developers helping a client in Madison, WI with their extensive backlog of maintenance issues. When the offshore team was brought on board the orientation included extensive training on the client’s internal process used for software development and deployment.
Here’s how we set up the process with our offshore developers:
- The code repository was branched and with a separate branch for the offshore team to commit their code to.
- Each commit (usually a feature or resolution to a ticket) would raise a request for peer review of the code change.
- The reviewer would then approve the code or reject it with relevant comments.
- The client also had an internal system where none of the offshore developers had access to Production code or the database. The offshore developers would simply add their change to a Deployment Checklist. The Deployment Checklist was the basis for the deployment team to make changes to the Production environment.
- This simple process enables the developers to do their job free from the complexities of the Production environment.
Networks are complex by nature, one reason why many network admins make six figure incomes. The more people and nodes on the network from different areas, the more complex it becomes to manage the network. Offshore resources do add an additional level of risk since the network and policies are outside of your domain.
To a large extent appropriate and relevant access, firewalls and additional DMZs mitigate the risks to a certain extent. Unfortunately, the threat of breaking into the corporate servers via a third party is ever-present. Careful evaluation of the offshore vendor is certainly needed but more insight into their written network and security policies is also required. However, irrespective of the written policies ensuring 100% protection is almost impossible.
The popular adage “the best defense is a good offense” applies to network security as well. Being on the offensive when it comes to monitoring traffic, applying the latest security patches and assigning just the right level of access for various personnel goes a long way to maintain network integrity.
At Augment each of the development teams are given just the right level of access to the development server. Many times the software code resides on a central repository and access is granted only for the project the resource is assigned to. All code is checked into a separate branch that is then merged by an onshore developer after a thorough code review. All Augment developers are trained to be responsible with the access. Passwords are never shared and substitution of personnel is only done with permission from the client. At Augment all developers work from the same office (owned by Augment). Physical security, restricted access to floors, surveillance cameras, clean desk policy, network best practices and random audits all assure the projects and the resources are all working towards a common goal – quality software development for the client project.
Legal and IP Issues:
With the use of offshore vendors and resources there is always the possibility of the client’s IP being misused. Most offshore vendors are reputed and continue to execute projects for many small, medium and multi-national companies with few issues involving IP. Companies should of course sign a Non-Disclosure Agreement (NDA) and a Privacy Agreement. IP ownership rights on existing IP and IP developed during the project should belong to the client.
Augment’s founders have had zero incidents involving IP issues in their careers. Below is a summary of Augment’s policies and procedures to assure clients that their projects are safe and will get executed professionally. This list will give you a feel for what an offshore vendor should have in place for security controls and should be used when talking to any offshore vendor.
- Located in a fully owned building
- Over 120 staff with exposure to international projects
- High speed internet connectivity with redundant lines
- 100% power supply – UPS and Backup Generators available
- Physical security in place 24/7
- Surveillance cameras at all vantage points to constantly ensure security of client information
- Access controls in place
- Network restrictions to ensure that only the relevant personnel have access to client related information stored in File System, Source Control, Staging Servers, Production/Web Servers, Backup Server and Email
- Firewall protection at all times for all incoming and outgoing traffic
- Frequent system monitoring in place to ensure prevention of any untoward incidents
- No access to USB ports, Pen Drives, Printers and External mails for the team so that client information and source code remain protected at all times
Intellectual Property Protection
- Any improvements to Intellectual Property items held by the client or its end clients, further inventions or improvements, and any items of Intellectual Property discovered or developed by Augment, LLC for the client or ultimately for client’s end clients shall be the property of the client or its end clients.
- Augment, LLC will sign all documents necessary to perfect the rights of the client or its end clients to such Intellectual Property, including the filing and / or prosecution of any application for copyright or patent. Augment, LLC will sign all documents necessary to assign the rights to such Intellectual Property to the client or its end clients.
- All employees of Augment, LLC execute the non-disclosure and intellectual property agreement internally with us, which will prevent misuse of client proprietary information as well as end client proprietary information.
- A general vigil on the activities of the employee is also maintained to ensure that there is no threat to the agreements made between Augment, LLC and the client.
- Risk management system: The risks are mitigated with the help of Usage Guidelines, Security Policies & Procedures, Backup Policies, Emergency Procedures, Regular Maintenance and System Audits.
- We also have a physical security service in place to monitor and restrict access of unauthorized persons at the office entrance. All employees are provided with identity tags and only those in possession are allowed access inside.
- In addition to physical restrictions, we have tight access control to computers, secure firewalls in place and use the latest anti-virus software.
- Network restrictions are in place, whereby authorized personnel are only allowed access to relevant information. Dedicated 24/6 system administrators.
- We have a system in place to reduce overall messaging volume and protect against spam, spy ware and other security threats.
- For integrity, testing of software code is performed before any system is implemented to ensure the data does not become corrupted and regular logging and log analysis is also performed to provide debugging and assistance with incident response.