The ‘Offshore’ IT services market has grown extraordinarily fast in the global market in the past few years. Since the 1980’s, offshore outsourcing has become a major facet of the business world. An increasing number of organizations have turned to offshore outsourcing of application development and maintenance as a means to reduce the cost of information technology.
Definition: Offshore IT outsourcing is the practice of sub-contracting to a third-party company the performance of certain application development, maintenance and support function to a country other than the one where the primary organization resides.
In a report issued by Datamonitor, the current market is estimated at more than $10 billion USD annually. Some industry analyst estimate worldwide spending on IT services delivered by offshore companies will exceed $75 billion USD within three to five years.
According to Gartner, the leading offshore outsourcing countries by region are listed below.
Americas: Argentina, Brazil, Canada, Chile, Costa Rica, Mexico and Uruguay
Asia/Pacific: Australia, China, India, Malaysia, New Zealand, Pakistan, the Philippines, Singapore, Sri Lanka and Vietnam
Europe, the Middle East and Africa: The Czech Republic, Hungary, Ireland, Israel, Northern Ireland, Poland, Romania, Russia, Slovakia, South Africa, Spain, Turkey and Ukraine
Large organizations see this as a huge opportunity for costs savings. Many experts view IT offshore outsourcing as a potential threat to the domestic job market in the technical world and have asked the government for protective measures or at least closer scrutiny of existing trade practices. There is another threat that IT offshore outsourcing poses, the threat of covert espionage, backdoors and remotely accessible exploits.
Security and privacy concerns are now the biggest issue for companies considering outsourcing their IT projects to companies offshore. These concerns included, but are not limited to — fraud, backdoors, data theft, extortion and espionage and are the major components of offshore security risks that are now a major area of concern for outsourcers and our national security alike. Moreover, the unauthorized use of proprietary technology is another facet of security concern. Most clients and outsourcers come together to integrate safeguards into their systems. New laws are being enacted regularly with regards to IT security and data theft. These laws have given some degree of protection to outsourcing software development. Many organizations find comfort now that these laws have been enacted. That being said, security loopholes exist and are addressed when they are identified. Not only that, but in the world of cyber conflict, terrorists, extremist groups, hackers in general and rogue nation states do not make a habit of following the law.
In a random survey of technology professionals with a combined 250+ years of experience, the following insight was gleaned.
1. The current approach to code reviews, walk-thrus, testing, validation and acceptance reviews of software development that was outsourced would be extremely unlikely to detect the existence of back doors, trap doors or any other type of exploit.
2. The detailed testing, code review and walk-thrus required for a high degree of confidence that no malicious code has been embedded within the application
Below are the major influencing factors that came up during the data collection discussion.
1.Organizations that outsource application development have little if any control or oversight of the personnel assigned and working on the software development.
2. The size and complexity of current applications do not allow code reviews and analysis to a granular level that would ensure there are no back-doors or exploits.
3. The current state of automated testing and validation tools has very limited capabilities for detecting back-doors or exploits.
Below are some interesting facts and figures that were discovered during this analysis.
Fact: The software and services revenues of India are expected to hit $50 billion USD by the end of 2008
Fact: The three most common offshore outsourcing functions are software development, software maintenance and help desk support.
Given the current cyber threat environment, extra security measures must be taken to protect the information infrastructure of the nation, our government and our corporations. Failure to take such measures and address this threat results in a huge risk and liability. According to Ed Maggio, Professor of Criminal Justice at the New York Institute of Technology and an Advisor to Spy-Ops, “Organizations can outsource the work, but they cannot outsource their liability to ensure the integrity of the software produced.” Even with the added security testing and validation, you cannot be 100% sure the delivered software contains no malicious code.
So the only question that remains is, given the added cost of security testing and validation coupled with the remaining risk of undetected malicious code, do you really save anything by using offshore outsourcing for software development? Finally, for those skeptics out there, to think that our enemies have not thought of and may have actually placed covert assets in major development centers around the globe is short sighted and endangers our national security and the economic health and prosperity of our country and businesses.
“In a random survey of technology professionals with a combined 250+ years of experience“
I really hope that means the “random survey” only involved about 10 or 15 people. Anybody in IT for less than 10 years can barely find his own elbow, and the corporate IT world is chock full of people content to play in the shallow end.
Corporate IT vs. hostile foreign attackers is about the best definition of “asymmetric” that I’ve ever heard.
Hi Mac
You know it was hard finding someone in IT with over 10 years of experience but you are correct. Thirteen people I found that had the experience and the response was harsh and extremely harsh against offshore and thought security was here to fore not included in the evalutaion. I agree Corporate IT vs. hostile foreign attackers is about the best definition of “asymmetric” warfare.
These data breaches and thefts are due to a lagging business culture. I found some fresh and original thinking from the author of
Cyber Security is must and should be ensured while choosing an offshore software outsourcing firm. Outsourcing in general, and more specifically software development outsourcing, has been shown to result in both a reduction in production costs and a freeing up of other resources. Considering cyber security while choosing a software partner make sure the company has a excellent skilled programmers along with good repute and experience in the industry.
Regards
sdei
http://www.smartdatainc.net
EVERYONE READ THIS !!!!!! IT IS HAPPENING NOW!!!!
http://forums.military.com/eve/forums/a/tpc/f/672198221/m/4990024202001
Kevin you scar me — you are right way too often!!!
No one can be as lucky as you are with the timing of many of your blog postings! The outsourcing article and the World Bank “HACK” is a prime example!!!
Got to love it when all the negative posters on here get their words handed back to them.
Chris & Kevin
I just wanted to say thanks for providing such a great source of security intelligence. While I do not agree with everything your post on here, you have given me a heads up on things that I was able to put in place preventative measures that helps protect my company. This blog is the best source of security intelligence anywhere in the world. Keep it up!