IBM Rational AppScan Source Edition users understand and measure software

risk across the entire software portfolio. Rational AppScan Source Edition users
rely on its consistent measurement and metrics and organize the information in
a way that meet the needs of their business.
December 2009

Trust, but Verify

How to manage risk in outsourced applications

Ryan Berg
IBM Senior Security Architect
IBM Software Group
Trust, but Verify
Page 2

Executive overview
Highlights
Save money. Speed development. Augment staff resources. Tap expertise not
available internally. The reasons for outsourcing application development are
many and varied. Outsourcing can be a cost-effective and efficient solution to
the demand for new and specialized applications in today’s Internet-based
marketplace.

“ 84 percent of Information It is absolutely critical, however, that the team responsible for evaluating
Week companies the outsourced application makes security one of its principal criteria prior to
acceptance of each release. There must be a mutually agreed-upon process to
outsourced application
articulate and certify the security of the delivered project. Armed with that
development and information, organizations can manage application risk and balance remedia-
integration.” tion priorities. This white paper:
— InformationWeek report
● Discusses the need for addressing security concerns in outsourced
applications
● Outlines a framework for addressing these concerns with outsourcing
partners
● Explores the role of source code review and related technologies to assess
and certify outsourced applications

Outsourcing on the rise

Outsourcing continues to be a significant resource for application develop-
ment. An InformationWeek study found that 84 percent of InformationWeek
500 companies outsourced application development and integration.1 Across
all industries, executives are increasingly turning to outsourced development
Trust, but Verify
Page 3

to deliver their critical applications in order to move rapidly, contain costs,

and supplement their own in-house expertise. Other reports estimate enter-
prise application outsourcing will see a compound annual growth rate of
7.3 percent through 2007. The Tower Group estimates that information tech-
nology (IT) work outsourced to vendors abroad by the top 15 global financial
institutions will grow by 34 percent annually over the next four years, from
$1 billion today to $2.5 billion in 2008.2

Fig. 1: Applications Planned for Outsourcing Development

B2B e-com
HRIS
Other in-house apps
B2C e-com
CRM
Business processes
Financial mgt/svcs
Call center
Portals
Engineering
Content Mgt
ERP
Marketing
Sales automation
Knowledge Mgt.
Supply chain
Other

0.0 5.0 10.0 15.0 20.0 25.0 30.0

Source: CIO Insight

Trust, but Verify
Page 4

Not only are organizations increasingly outsourcing development, but they are
Highlights choosing to outsource their most mission-critical and sensitive application
projects (Fig. 1). E-commerce applications, human resource information sys-
Organizations are choosing to out-
tems, financial services applications solutions using the most critical data and
source their most mission-critical
operating the most fundamental processes are increasingly being developed
and sensitive application projects.
out of house and out of the country.3 For businesses that frequently outsource
these kinds of applications, ensuring the security state of these delivered proj-
ects must be a priority.

Issues for outsourced development

There are several security issues that arise when considering outsourced
development. All of these concerns require careful planning, running, and
monitoring to verify that they are addressed prior to acceptance of the soft-
ware from the outsourcer. These issues include:

Appropriate use of security mechanisms: Have the necessary security

mechanisms been included to ensure the application performs only the
requested functions? Were those security mechanisms deployed properly?
Proper design and implementation must be validated to ensure the foundation
for effective security is in place.

Secure coding best practices: Does the outsourcing development

vendor have a clearly defined set of secure coding best practices? How is it
documented and validated? Secure coding practices are a defined and well-
articulated discipline that must be an integral part of an outsourcing vendor’s
development processes.
Trust, but Verify
Page 5

Programmer experience and skill set: Are the programmers educated in

Highlights those secure coding techniques? How is that documented and defined? What
processes are in place to make sure secure coding techniques are followed? It
is vital that the developers assigned to the project possess the training, skills,
and awareness to develop a secure application. Most developers are not prop-
erly trained in writing secure code, whether or not they work for an outsourc-
ing firm.

Presence of malicious code: Is there an audit process in place to ensure

malicious code has not been inserted into the software? Are the auditors
trained in the identification of malicious code in software? There should be a
process for reviewing critical code for such dangers as viruses, worms, back-
doors, and Trojans horses.

The government weighs in

“ Vendor management pro- The regulatory environment reflects the recognition that application security,
grams must include particularly of outsourced applications, is a vital component of critical infra-
structure security as well as data integrity and privacy. Each industry faces
‘establishing security
its own set of regulatory challenges. For example, the Federal Financial
requirements, acceptance Institutions Examination Council’s (FFIEC) Information Security Handbook,
criterion, and test plans, as an implementation guide of the Gramm-Leach-Bliley Act (GLBA), explicitly
[and] reviewing and test- states that management must establish a vendor management program that
ing source code for secu- includes “establishing security requirements, acceptance criterion, and test
plans, [and] reviewing and testing source code for security vulnerabilities.”4
rity vulnerabilities.’”
The Federal Information Security Management Act of 2002 (FISMA) requires
— FFIEC Information Security Handbook
that government agencies identify and remediate vulnerabilities in information
systems, including applications. These requirements are in force whether the
Trust, but Verify
Page 6

applications are developed in-house or provided or managed by another

Highlights agency, contractor, or other source.”5 As of 2006, many government agencies
received extremely poor marks on the official report card, with an average of
C- for 2005 and 2006, with only minor improvements over previous years.6

The U.S. Federal Government’s concern over the security of outsourced

applications, particularly when it comes to critical infrastructure applications
and military weapons systems, was expressed most explicitly in a recent
Government Accountability Office (GAO) report entitled, “Defense
Acquisitions: Knowledge of Software Suppliers Needed to Manage Risk.” The
Department of Defense’s (DOD) prime contractors increasingly reliant on out-
side contractors to develop software for weapons systems. The GAO’s review
demonstrated that “DOD acquisition and software security policies do not
require program managers to identify and manage the risks of using foreign
suppliers to develop weapon system software.” The GAO and the Department
of Defense have found this to be of serious concern, and concluded that
the DOD “must take steps to ensure that security is an integral element in
decision making and that program managers mitigate risks accordingly.”7
Legislative and regulatory activity throughout the government clearly reinforce
that applications that manage sensitive data require a precise and consistent
method by which security requirements are clearly defined, articulated, imple-
mented, and audited.

Addressing outsourcing security concerns

Security requirements should be an Security concerns must be addressed in a systematic and precise way through-
important part of the overall func- out the software development life cycle, from design to deployment, particu-
tional requirements of a service- larly when contracting the development work to an outsourced developer.
level agreement. There are two crucial steps that must be taken to build a structure of due
Trust, but Verify
Page 7

diligence, which help ensure that the delivered software is secure prior to
acceptance. This framework is vital for explicitly educating outsourcers on the
security requirements for the application being developed:

Granular definition of critical data and processes: Security requirements

must be an important part of the overall functional requirements of the proj-
ect. For example, these requirements might include details on the following:

● Proprietary data
● Confidential data
● Privacy concerns
● Authorization to critical functions

Clear understanding of business value, audience and exposure: This

analysis combines an understanding of the value of the proposed application
to the organizational mission, on an operational or financial level. An
appraisal of how exposed the application is to the world at large, and to what
audience(s).

Business value: How critical is this application or network to the financial

or operational well-being of the organization? This can be determined accord-
ing to how much revenue an application generates or what the internal costs
are if it ceased to function.

Audience and Exposure: Who is the application or network serving, and

how accessible does it need to be to serve that audience? What is its exposure
to the outside world? Exposure is a function of how many individuals need
access to the network or application, who they are in the organization, and
what privileges are assigned to them. Simple, noninteractive information sites
Trust, but Verify
Page 8

have high traffic, but expose little in the way of functionality to visitors.
E-commerce sites allow virtually anyone to shop and exchange real money
and confidential information. Dimensions of exposure must also include a
description of the security of the deployment environment, to further explain
the conditions under which each application could potentially expose back-
end data and resources.

Fig. 2: Appropriate Security Mechanisms

Detailed
Auditing

ENCRYPTION STRONG ENCRYPTION

high
STRONG STRONG AUTHENTICATION
AUTHENTICATION

AUTHENTICATION ENCRYPTION
AUTHENTICATION
Value

NO ENCRYPTION
AUTHENTICATION

NO ENCRYPTION
NO AUTHENTICATION
low

Minimal
Auditing
internal Audience and Exposure external

Figure 2 demonstrates the level of appropriate security mechanism for the

application or process relative to its business value and exposure. This analy-
sis must be shared with the outsourcer to better inform them of the context
and importance of the project to the overall mission of the organization.
Trust, but Verify
Page 9

Security as a contractual requirement

After the security requirements are identified, the next critical step is to make
those requirements, as well as an audit process for confirming their successful
implementation, a part of the RFP and final contract. As application develop-
ment is increasingly outsourced much has been written about the processes
for ensuring a high quality project delivery that meets the requirements of
schedule and budget. Many organizations are defining service-level agree-
ments (SLA) that set expectations and terms, milestones, and deliverables
according to a specific timetable. Many agreements fail to adequately define,
evaluate, and set acceptance criteria for the security of delivered applications.
Even in the cases where security requirements are included, few companies
have a method for measuring or certifying that the code is secure before it
is accepted and deployed. Given the sensitive nature of so many applications,
it is critical that effective methods and criteria be established to ensure
the confidentiality and integrity of the data processed by these outsourced
applications.

Prominent security analysts urge organizations to require secure code

within their development contracts. These requirements should include the
right to audit the code, vulnerability remediation, definition of secure develop-
ment practices, and the establishment of a security assurance warranty.

According to these analysts, there are four major areas that should be iden-
tified by a security contract addendum:
Trust, but Verify
Page 10

The right to audit: The organization dictates that security assurance is

part of the process and that the responsibilities of both parties are understood
prior to acceptance.

Remediation: When the audit identifies any flaws, there must be a well-
defined process for the remediation of serious vulnerabilities prior to final
acceptance. The details of this remediation phase must be clearly spelled out
in the contract.

Development practices: Secure coding practices must be clearly described

and documented that they were followed during the development of the proj-
ect or application.

Security warranty: In the event that identified vulnerabilities are not

resolved, there must be a baseline for judging the software to be insecure and
therefore in violation of the terms of the security contract addendum.8

By aligning financial arrangements, penalties, and incentives with business

objectives, both customers and vendors can create a better understanding of
expectations, and eliminate potential sources of conflict when remediation is
required. The security warranty provides both parties with clarity on how defi-
ciencies can be handled. This serves to eliminate risk for the customer, but
also provides the outsourcing vendor a powerful means of differentiating their
proposal while helping to build and maintain an enduring partnership.
Trust, but Verify
Page 11

The need for secure code audits

The security audit requires an in-depth analysis of the source code for secu-
rity vulnerabilities. Insecure software results in lost revenue, declined stake-
holder value, liability, breaches of regulatory compliance, and compromised
reputation.

There are four functions to which application source analysis is directed:

certification, prioritization, tracking, and remediation. When selecting a source
code analysis tool or audit provider, the tool must be judged by their ability to
provide consistent, metric-based vulnerability assessment data in these four
areas, according to your priorities:

Certification
Certification and accreditation activities are traditionally driven by external or
internal audit requirements. These are applied to address governance, privacy,
and stability issues for new, updated, or redeployed applications. In the case of
outsourced applications, the issue is of paramount importance. Certification
becomes the final acceptance criteria before payment. Critical to certification
and accreditation activities are:

● Clear reporting in multiple formats for online and print consumption

● Credible metrics to establish baseline and threshold measurements
Trust, but Verify
Page 12

Prioritization
Security budgets can seldom bear the cost of analyzing and remediating all
flaws across all applications. As a result, software security analysis tools used
to prioritize these efforts must present two different measures of criticality.
Managers from both the provider and the contracting organization can focus
on flaws for remediation according to their severity or location.

● Vulnerability of multiple applications, projects, or groups, according to

both number and severity of vulnerabilities found
● Severity of individual application vulnerabilities, according to types and
impact

Tracking
Security is not static, but rather a process. Absolute security is neither afford-
able nor achievable. Organizations must set a goal of an appropriate level of
security. Any software vulnerability analysis product must offer the capacity to
baseline the vulnerability of outsourced applications at a fixed point in time,
and then apply consistent methodologies to track the progress of remediation
efforts over time. In order to make this information most useful, there are two
criteria for tracking and progress reporting.

● Granularity of assessed objects: At various levels of the organization,

different items are at a broad level across the enterprise. Development
managers tracking is managed at the application, project, or file level as
the outsourcing work progresses. In order for metrics to be universal and
well-understood, the capacity to report at multiple levels of aggregation
must be included.
● Periodicity of assessment: Consistent, scheduled assessments are recom-
mended for most progress reporting, and mandated by various regulatory
measures. Enabling this assessment to run automatically or a scheduled
analysis is an effective means of ensuring regular and reproducible reports
for use by internal and external reviewers.
Trust, but Verify
Page 13

Remediation
Remediation of vulnerabilities takes a variety of forms based on the nature
of the application, the vulnerability, and the organization. Baselines and
threshold criteria drive acceptance decisions for outsourced applications.
Remediation must be undertaken by those groups prior to deployment and
full payment. This approach not only ensures reduced operational risk from
the outsourced application, but also lowers development and support costs as
well. The Constructive Cost Model or COCOMO II research by Dr. Barry
Boehm at the Center for Software Engineering at the University of Southern
California determined that a bug that costs a $1 to fix in the design phase cost
$100 to correct in the field. (Fig. 3).

Some development outsourcers bear responsibility for remediating any

flaws that are identified and prioritized. The following information must be
provided to developers in order to understand and repair any problems that
are found.

1. Specific identification of the problem’s location, including file, line, and

column. This dramatically reduces the time and cost of remediation.

2. Clear descriptions of the problem identified, including the potential

impacts and severity of abuse help educate developers in the concepts of
secure programming. This must be included in order to generate lasting
improvements in current and future projects.
Trust, but Verify
Page 14

Fig. 3: Cost of Remediation

$100
$90
$80
$70
$60
$50
$40
$30
$20
$10
$-
n

ta

n
en
ig

tio
Q

Be
es

uc
op
D

od
el

Pr
ev
D

Source: Boehm et al, COCOMO II

3. Conclusive recommendations for remediation, whether through alterna-

tive structures or more secure routines, are necessary to minimize the
time investment necessary to resolve issues.

4. Aggregation of issues according to location, problem type, or vulnerable

routine, is necessary in order to combine vulnerability resolution efforts
with other development processes. This increases the effectiveness of
individual developer efforts.
Trust, but Verify
Page 15

A source code security audit is the critical component to ensure the security
Highlights of the delivered outsourced application. Until recently, there was only one
proven way to accurately ascertain the security state of an application. An
organization establishes a security review team to manually examine the
source code to identify vulnerabilities and request remediation from the out-
sourcer. This team might be an internal resource, or often an outside services
organization with specific security expertise. While an effective way to evaluate
source code, it is typically very expensive and time-consuming, and can be
performed only once or twice a year. To fulfill the audit and certification
requirements of for outsourcing, a more cost-effective, consistent, and metrics-
based method of application vulnerability analysis and remediation is
required.

Software risk analysis and IBM

There are now proven security testing technologies to automate key parts of
this process. Commercial solutions include products capable of automatically
analyzing source code for vulnerabilities. One example is the IBM Rational®
AppScan® Source Edition software risk analysis solution, which includes the
ability to analyze source code for security vulnerabilities, providing precise
details and remediation advice about coding errors, design flaws, and policy
A source code security audit, there- violations. Armed with this information, security managers, analysts, and
fore, is the critical component to developers can support software security audit efforts, manage the risk of vul-
ensure the security of the delivered nerable software, and eliminate software vulnerabilities at the source.
application.
Trust, but Verify
Page 16

The Rational AppScan Source Edition solution provides organizations with

several benefits related to securing outsourced application development:

Quickly identify the most serious security risks:

The minimum set of concerns includes the basics, such as buffer overflows
and input or output validation. However, merely identifying these areas does
not secure an application. The improper implementation of other security
mechanisms, including appropriate use of cryptography, secure network com-
munication practices, access controls, can pose an even greater risk to the
organization.

With outsourced application development, identifying these subtle vulnera-

bilities becomes even more challenging. For example, there might be in-house
expertise relating to how cryptography is to be handled in order to meet com-
pliance requirements. However, it is challenging to specify, and then verify
that these business requirements have been met.

The Rational AppScan Source Edition patented automated solution detects

the widest range of coding errors and design flaws, allowing failures in meet-
ing specified security requirements to be identified in the delivered code, and
remediation undertaken according to the terms of the SLA. These capabilities
can otherwise easily be overlooked during the evaluation of certification and
accreditation approaches for outsourced code acceptance.
Trust, but Verify
Page 17

Maximize the effectiveness of your security stakeholders:

Software security does not just exist within a single departmental silo, but is,
in fact, an enterprise-wide responsibility, touching security analysts, develop-
ers, executives, and auditors. Code auditors and certification and accreditation
professional need to obtain results in minutes, not days. Reports must be cus-
tomizable to suit the SLA put in place, and they must highlight areas of rela-
tive concern. This enables SLA issues and resolution to be quickly and clearly
identified and agreed on. Through the use of the Rational AppScan Source
Edition solution, customers achieve market-leading time to productivity
through its precise, actionable findings, reports, and remediation advice.

Rational AppScan Source Edition helps organizations add security-specific

checks and monitoring throughout the software development life cycle. It pro-
vides a solution that serves various stake holders from security analysts, qual-
ity assurance (QA) analysts, and developers to managers and security leads.
Rational AppScan Source Edition provides detailed management and security
reports that pinpoint design flaws and policy violations, including lack of
access control, cryptography, input validation, and logging. A centralized man-
agement dashboard provides aggregate information across a complete software
portfolio, offering specialized metrics and trend reporting to better inform
security risk decision makers.

For the developer, the Rational AppScan Source Edition runs inside the
integrated development environment (IDE), providing rapid pinpointing of
vulnerabilities at the line of code level and advanced relevant guidance. It
enables developers to be full participants in developing and maintaining
secure code. It also integrates with leading defect tracking systems to acceler-
ate time between vulnerability detection and remediation.
Trust, but Verify
Page 18

These capabilities provide the entire organization with the tools and infor-
mation needed to identify and mitigate vulnerabilities, at all stages of the
development life cycle. Within tight development schedules, the Rational
AppScan Source Edition solution provides an affordable, practical, and consis-
tently measurable way to validate the security of outsourced applications prior
to acceptance.

Manage risk across your enterprise portfolio:

In order to effectively manage an application security strategy, there must be a

way to measure and compare relative risk across the application portfolio and
weigh it against its corresponding business risk.

With Rational AppScan Source Edition users can understand and measure
software risk across the entire software portfolio, relying on its consistent
measurement and metrics, and organize the information in the ways that
meet the needs of the business. Rational AppScan Source Edition patented,
compiler-based analysis technology allows for rapid analysis of some of the
world’s largest and most complicated applications. Its deployment flexibility
allows users to use the tool how it best suits their organization. Users can use
the tool in the IDE to access and scan code anywhere in the network, or
remotely, allowing mobile users to operate on a single laptop, anywhere in the
world.

Built-in security
Ensuring the security of the applications that drive organizations can no
longer be an afterthought. While it should not be assumed that a software
vendor would intend to maliciously insert vulnerabilities into these applica-
tions, most vulnerabilities are introduced through lack of training in secure
Trust, but Verify
Page 19

coding practices or insufficiently careful coding when confronted with tight

delivery schedules and burgeoning requirements. There are now ways to inves-
tigate, repair, and validate the security of the mission-critical applications on
which businesses rely, whether developed in-house or by an outsourcing part-
ner. The benefits of security assurance to the organization include the
following:

● Reduced liability. Addressing vulnerabilities prior to deployment reduces

exposure to external and internal threats.
● Compliance. The reporting and audit requirements are part of the accept-
ance process. Auditors, compliance officers, and regulators can easily mon-
itor the process of security assurance.
● Data Integrity. Software security assurance increases confidence in data
integrity and in the business processes that are critical to the organiza-
tion’s mission.
● Contained cost. The cost of identifying or remediating vulnerabilities in
code developed by third parties is a major unplanned expense if not
proactively addressed in a SLA. The cost of a security breach to a business
can be devastating.
● Availability and stability. More secure software means an increased abil-
ity to withstand attack and compromise, and the increased availability of
critical systems.

Explicitly identifying the security requirements of an outsourced project

upfront, understanding its value to the organization’s mission, and setting
acceptance criteria within the contract itself are critical components to ensure
that the code delivered by the outsourcing provider is secure. The knowledge
and tools are now available to make it practical and possible to evaluate secu-
rity of source code prior to acceptance, and to validate an outsourcer’s
compliance.
For more information © Copyright IBM Corporation 2009
IBM Corporation
To learn more about the IBM Rational AppScan Source Edition, please con- Software Group
tact your IBM marketing representative or IBM Business Partner, or visit the Route 100
Somers, NY 10589
following Web site: ibm.com/software/rational/products/appscan/source/ U.S.A.
Produced in the United States of America
Ryan Berg is a Senior Security Architect at IBM. Ryan is a popular speaker, December 2009
instructor, and author in the fields of security, risk management and secure All Rights Reserved

development processes. He holds patents and has patents pending in multi- IBM, the IBM logo, ibm.com, AppScan
and Rational are trademarks or registered
language security assessment, kernel-level security, intermediary security trademarks of International Business Machines
assessment language, and secure remote communication protocols. Corporation in the United States, other
countries, or both. If these and other
IBM trademarked terms are marked on their first
occurrence in this information with a trademark
symbol (® or ™), these symbols indicate U.S.
registered or common law trademarks owned
by IBM at the time this information was
published. Such trademarks may also be
registered or common law trademarks in other
countries. A current list of IBM trademarks is
available on the Web at “Copyright and
trademark information” at ibm.com/legal/
copytrade.shtml.
Other product, company or service names may
be trademarks or service marks of others.
1
Greenemeier, Larry, “Companies Reconsider
Offshore Outsourcing,” InformationWeek,
December 10, 2001.
2
Lewis, Diane E., “Increase in Tech Outsourcing
Seen,” The Boston Globe, May 14, 2004.
3
Perkowski, Mike, “Outsourcing: The CIO Insight
Research Study,” CIO Insight, May, 2002.
4
Federal Financial Institutions Examination
Council, “Information Security IT Examination
Handbook,” December 2002.
5
Federal Information Security Management
Act of 2002, Public Law #107-347,
December 17, 2002.
6
Federal Information Security Management Act:
2006 Report to Congress from White House.
7
Schinasi, Katherine, “Defense Acquisitions:
Knowledge of Software Suppliers Needed to
Manage Risk,” GAO-04-768, May 2004.
8
Rasmussen, Michael, “Security Assurance in
Software Development Contracts,” Forrester
Research, May 24, 2004.

RAW14200-USEN-00