May 6th, 2003, 12:53 PM
Offshore Development = Security Risk
This raises an interesting point. The software vendors have enough problems just ensuring that their code isn't flawed or vulnerable to buffer overflows. Do they now need to also put together some sort of security review to search for backdoors, Trojans and other malicious code that may be planted by the people being paid to develop the product?
At last week's Techno-Security Conference here, users peppered a panel of corporate security officers with questions about the wisdom of outsourcing software development to cheap labor overseas, where there is little or no way to ascertain the security risk that workers may pose.
Of particular concern to some attendees is the work that is being sent to China. While not yet a major provider of outsourcing services, China has a significant economic espionage program that targets U.S.
technology, the users noted. Also of concern are countries in Southeast Asia, particularly Malaysia and Indonesia, where terrorist networks are known to exist.
Even if they did, whose to say that the offshore developers don't have some tools or know some techniques that the security review team is not familiar with and can't detect. It would be awfully pompous and cocky to assume that we have the best of the best and nobody could sneak something past us.
For your average user this may not be an issue. Maybe even for many companies. But, it seems like possibly the government should take a look at the security risks presented by using software developed offshore and consider their alternatives.
May 6th, 2003, 07:41 PM
Personaly I think off shore codeing is a bad idea in general. Most of the code comes back very buggy, its generaly low quality and most companies are finding that they need to hier a programmer to debug/correct the code. It would probably less expensive to hire the programmers to code it in the states to begin with.
I am a littel biased on this though, I spent my years at an american university haveing to put up with Indian programmers going for their masters in CS, they couldn't grasp the basics of Programming...they where lost in 100 level classes...these where grad students, we wasted a week of class because they couldn't grasp pointers or if statements.
Who is more trustworthy then all of the gurus or Buddha’s?