At last week's Techno-Security Conference here, users peppered a panel of corporate security officers with questions about the wisdom of outsourcing software development to cheap labor overseas, where there is little or no way to ascertain the security risk that workers may pose.

Of particular concern to some attendees is the work that is being sent to China. While not yet a major provider of outsourcing services, China has a significant economic espionage program that targets U.S.
technology, the users noted. Also of concern are countries in Southeast Asia, particularly Malaysia and Indonesia, where terrorist networks are known to exist.

Full Article
This raises an interesting point. The software vendors have enough problems just ensuring that their code isn't flawed or vulnerable to buffer overflows. Do they now need to also put together some sort of security review to search for backdoors, Trojans and other malicious code that may be planted by the people being paid to develop the product?

Even if they did, whose to say that the offshore developers don't have some tools or know some techniques that the security review team is not familiar with and can't detect. It would be awfully pompous and cocky to assume that we have the best of the best and nobody could sneak something past us.

For your average user this may not be an issue. Maybe even for many companies. But, it seems like possibly the government should take a look at the security risks presented by using software developed offshore and consider their alternatives.

Thoughts?