Results 1 to 2 of 2

Thread: Offshore Development = Security Risk

  1. May 6th, 2003, 12:53 PM #1
    tonybradley
    tonybradley is offline
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Offshore Development = Security Risk

    At last week's Techno-Security Conference here, users peppered a panel of corporate security officers with questions about the wisdom of outsourcing software development to cheap labor overseas, where there is little or no way to ascertain the security risk that workers may pose.

    Of particular concern to some attendees is the work that is being sent to China. While not yet a major provider of outsourcing services, China has a significant economic espionage program that targets U.S.
    technology, the users noted. Also of concern are countries in Southeast Asia, particularly Malaysia and Indonesia, where terrorist networks are known to exist.

    Full Article
    This raises an interesting point. The software vendors have enough problems just ensuring that their code isn't flawed or vulnerable to buffer overflows. Do they now need to also put together some sort of security review to search for backdoors, Trojans and other malicious code that may be planted by the people being paid to develop the product?

    Even if they did, whose to say that the offshore developers don't have some tools or know some techniques that the security review team is not familiar with and can't detect. It would be awfully pompous and cocky to assume that we have the best of the best and nobody could sneak something past us.

    For your average user this may not be an issue. Maybe even for many companies. But, it seems like possibly the government should take a look at the security risks presented by using software developed offshore and consider their alternatives.

    Thoughts?
    Tony Bradley, CISSP, Microsoft MVP
    Follow me on Twitter
    Blogs:
    The Edge
    Evangelyze Communications Security
    Unified Communications: Click to Talk
    Reply With Quote Reply With Quote
  2. May 6th, 2003, 07:41 PM #2
    bballad
    bballad is offline
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Personaly I think off shore codeing is a bad idea in general. Most of the code comes back very buggy, its generaly low quality and most companies are finding that they need to hier a programmer to debug/correct the code. It would probably less expensive to hire the programmers to code it in the states to begin with.

    I am a littel biased on this though, I spent my years at an american university haveing to put up with Indian programmers going for their masters in CS, they couldn't grasp the basics of Programming...they where lost in 100 level classes...these where grad students, we wasted a week of class because they couldn't grasp pointers or if statements.
    Who is more trustworthy then all of the gurus or Buddha’s?
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules