[ISN] Offshore Coding Work Raises Security Concerns

From: InfoSec News (isnat_private)
Date: Mon May 05 2003 - 22:23:28 PDT

  • Next message: InfoSec News: "[ISN] South Korean Group Sues Microsoft Over Slammer"

    http://www.computerworld.com/securitytopics/security/story/0,10801,80935,00.html
    
    By DAN VERTON 
    MAY 05, 2003
    Computerworld 
    
    MYRTLE BEACH, S.C. -- IT professionals are raising serious questions
    about the U.S. software industry's reliance on overseas software
    developers, arguing that the practice puts companies and the U.S.  
    economy at risk.
    
    A recent study by Gartner Inc. predicts that by 2004, more than 80% of
    U.S. companies will consider outsourcing critical IT services,
    including software development, to countries such as India, Pakistan,
    Russia and China. But some users said the trend needs to be given a
    sanity check in light of recent changes in the global security
    environment.
    
    At last week's Techno-Security Conference here, users peppered a panel
    of corporate security officers with questions about the wisdom of
    outsourcing software development to cheap labor overseas, where there
    is little or no way to ascertain the security risk that workers may
    pose.
    
    Of particular concern to some attendees is the work that is being sent
    to China. While not yet a major provider of outsourcing services,
    China has a significant economic espionage program that targets U.S.  
    technology, the users noted. Also of concern are countries in
    Southeast Asia, particularly Malaysia and Indonesia, where terrorist
    networks are known to exist.
    
    Speaking directly to Oracle Corp. Chief Security Officer Mary Ann
    Davidson, one audience member said that it's "ironic that the
    countries the software industry trusts the least with binary code are
    the places where source-code development is being sent."
    
    Davidson acknowledged that Oracle, which sells its software to all of
    the major U.S. intelligence agencies, does outsource some of its
    development work to companies in India and China. However, "we give
    read access, not write privileges, to developers in India," she said.  
    "And for the work done in China, it's quality control, and they do not
    need source-code access to do that."
    
    Although Davidson acknowledged that there is "a national security
    issue" involved in moving development work overseas, she said there is
    also no guarantee that a worker who is a U.S. citizen won't
    intentionally harm source code.
    
    The economic situation today is such that "you can't build these
    products without non-U.S. citizens," said Davidson. "Whether you like
    it or not, our national secrets are already being preserved by people
    who built these parts of the core infrastructure, and they're not U.S.  
    citizens."
    
    Assessing Risks
    
    Tim McKnight, chief information assurance officer at Los Angeles-based
    Northrup Grumman Corp. and a former security officer at Cisco Systems
    Inc., said companies must put in place a verification and auditing
    process. And he said that effort will be costly.
    
    "At Cisco, we had teams that would go overseas and verify the people
    that were there, monitor their access to file servers and source-code
    servers and do risk assessments," said McKnight. "It is very difficult
    to truly know who these people are. It can be done, [but] you really
    need buy-in from the top of the corporation."
    
    A show of hands during the closing session of the conference indicated
    that the majority of attendees doubted the ability or willingness of
    software companies to conduct proper background investigations of
    foreign software coders working overseas.
    
    That's not surprising, given that few companies in the U.S. conduct
    background investigations on IT personnel, said Joyce Brocaglia, CEO
    of Alta Associates Inc., a Flemington, N.J.-based executive search
    firm. "I'm surprised at how few of my clients actually do background
    checks on their information security professionals," she said. "At
    most, they require me to do a reference check."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue May 06 2003 - 00:06:30 PDT