Application security has risen to the top of the agenda for security professionals
striving to control their company’s overall risk profile. According to Gartner and
the Computer Emergency Response Team (CERT), 75% of new attacks target the
application layer and software vulnerabilities have reached an all time high – with
more than 7,000 new vulnerabilities discovered over the last year1.
At the same time, over $50 billion in custom code is being developed in locations
such as India, China, and Eastern Europe as many businesses have rushed to take
advantage of cost savings and flexibility to gain a competitive advantage.2 In fact,
over two-thirds of the world’s largest companies are engaged in offshore
outsourcing. However, due to training and developer turnover, secure coding and
application security testing of outsourced software are often overlooked. This
pushes both costs and liabilities onto the enterprise resulting in an unacceptable
level of unbounded risk.
In response to this emerging trend, analyst firm Gartner has recently advised their enterprise clients that
“…Application security testing should be mandatory for outsourced development and maintenance”.
Joseph Feiman, Gartner VP and Fellow, went on to recommend that “Enterprises should also consider
long-term arrangements with service providers that will be conducting deployed applications' dynamic
security testing on a continuous basis (because hackers will be inventing new types of attacks against
However, until now, enterprises have lacked an efficient manner to analyze the security of outsourced
software. Security testing has been limited to manual analysis by consultants, using internal teams with
source code tools or trusting the outsourcer to test their own code. None of these approaches scale to
cover an enterprise’s entire outsourced application portfolio and can add significant time and costs to
This whitepaper outlines how these limitations can be overcome by following five best practices that
enterprises can use to secure their outsourced application development. These key steps provide
enterprises with visibility into the security of their outsourced applications before the risk enters their
front door. From software risk assessments to embedding specific contract language into development
contracts, these practices provide guidance on steps that enterprises can immediately implement to
simply and cost-effectively meet regulatory requirements, establish metrics and SLAs and protect their
Microsoft Security Intelligence Report 2008 – Based on data from the DHS NVD & CERT
Gartner IT Services Forecast, 2007
Joseph Feiman, “Application Security Testing Should Be Mandatory”, 2007, Gartner ID Number: G00146313
Software: Today’s Biggest Security Risk
Today’s application has become the enterprise’s ‘‘new perimeter’’. With better network-level security
technology hardening the network perimeter, malicious attackers are now focusing their efforts to strike
at the least defended points --- - the application. While hackers were once satisfied with defacing Web
sites, unleashing denial-of-service attacks and trading illicit files through targeted networks, modern
attackers are profit-driven. Financial and customer data have become valuable commodities and
applications must be secure enough to protect them.
Recent industry statistics confirm this trend. Data from CERT reveals that the number of software
vulnerabilities has risen dramatically and has eclipsed 7,000 new software vulnerability disclosures in
the past year – an all time high4. Meanwhile, Gartner and NIST report that 95% of all reported
vulnerabilities are in software5, 78% of threats target business information, and 75% of attacks target
the application level6. Yet, even with these findings, most enterprises allocate less than 10% of their
security spending to application security.
CERT – Number of Software Vulnerability
NIST/Gartner Key Facts
Disclosures per Year
Microsoft Security Intelligence Report 2008 – Based on data from the DHS NVD & CERT
Mark Curphey, “Software Security Testing: Let’s Get Back to Basics” October, 2004, SoftwareMAG.com
Theresa Lanowitz, “Now Is the Time for Security at the Application Level” 2005, Gartner
Offshore Development Trends
It comes as no surprise that the amount of offshore software development has been drastically
transforming development processes for the past ten years. Companies have moved from staff
augmentation to project-based work to complete application development and maintenance
outsourcing. While one of the main drivers has certainly been around lowering overall costs, according
to an InformationWeek report enterprises have also indicated that they are increasing their outsourcing
activities for the following reasons:
Access hard-to-find technical skills
Focus on their core business
Improve service levels
Utilize a provider’s mature processes and methodologies
Create flexibility to “ramp-up” or “ramp-down” quickly
Recent industry forecasts for offshore development growth reflect this growing trend. In fact, according
to analyst firm Gartner, offshore software development is expected to rise from $50 billion today to
over $88 billion within four years7 and InformationWeek has reported that over two-thirds of the
companies in the InformationWeek 500 use at least some offshore software development to build and
maintain their applications8. India continues to lead all outsourcing locations with over 42% of the
offshore software development market, followed by China and Europe9.
Application Outsourcing Spending ($B)
“Applications Services Scenario: 2008 to 2012 — Trends and Directions, 2008”, 2008, Gartner
Mary Hayes Weier, “The Second Decade Of Offshore Outsourcing: Where We're Headed”, Nov. 2007,
Rick Saia, Peter S. Kastner, “Outsourcing Application Development and Maintenance”, Nov. 2006, Aberdeen
Five Key Steps
As multiple industry sources show, outsourcing application development allows organizations to realize
cost savings and provides the flexibility necessary to scale. However, it also introduces significant risk in
the form of security vulnerabilities and malicious backdoors. Enterprises face an uphill battle in
controlling security risks across their extended software supply chain. Identifying, controlling and
reducing the unbounded risk and capital requirements currently absorbed by organizations resulting
from insecure software are critical. Based on its experience working with enterprises that outsource
code development and outsourcing providers, Veracode has compiled a list of five key steps which help
enterprises implement security into their outsourced application development.
Step 1 – Risk Assessment
While it may seem obvious that as part of a risk assessment organizations need to create an inventory of
their applications that are being developed or maintained by an outsourcing provider, however, in
practice it can be a challenging exercise. With the advent of low cost offshore development, it is
common to see application “sprawl” as individual groups or business units may have contracted work
that previously would have required higher capital costs and formal approvals. When conducting an
application inventory, involve business units, procurement and vendor management to ensure you have
identified all software that was or is entering the organization through though outsourcing providers.
Once outsourced software has been identified, organizations need to understand the risk that the
application poses to the business. This can be achieved through the assignment of an assurance level
for each application based on business risk factors such as: reputation damage, financial loss,
operational risk, sensitive information disclosure, personal safety, and legal violations. Assurance levels
are used to determine the extent of testing methods (e.g. higher assurance levels may be tested using
multiple techniques) and the overall acceptance criteria (e.g. a lower assurance level application may be
accepted with a lower security scores as they do not pose a significant risk to the business). The
following chart from NIST provides guidance on selecting an assurance level based on business risk:
Step 2 – Embed Security Metrics and SLAs into Outsourcing Contracts
Outsourced software development contracts typically emphasize features, quality, time and costs. Thus,
the burden and risks of application security has fallen solely on the enterprise. Organizations need to
establish clear metrics and SLAs surrounding application security with their outsourcing partners as part
of the procurement and contract processes. This benefits both the enterprise and the offshore provider
by explicitly defining the goals and objectives around software security so both parties know what is
Security metrics and SLAs should be separated from functional or operational testing requirements and
need to address the following areas:
Security Testing Methods (i.e. static, dynamic, manual, etc…)
Security Providers and/or Tools (i.e. who will conduct testing, or what products will be used)
Security Score – What scoring method will be used and what score will be deemed acceptable
Vulnerabilities – What types of vulnerabilities need to be included in the assessment (i.e.
OWASP Top 10, PCI 6.5 , etc…)
Veracode has created a “Recommended Outsourced Software Development Security Contract
Language” which organizations can use as part of their development contracts and it is available as
Annex A of this document.
Step 3 – Conduct Independent Application Security Testing
Gartner recommends that application security
testing should be mandatory for all outsourced
development and maintenance. However, until
now, true testing of outsourced software has been
difficult due to the high cost and effort required to
conduct manual code reviews and the difficulty in
obtaining access to of source code. Because of
these issues, more than half of companies that
outsource application development conduct no
testing at all, and those that do test for security are
only able to address a small sub-segment of their highest risk applications.10
Given the current threat landscape, it is imperative that organizations test all of their outsourced
applications, ideally using a third party to obtain Independent Verification and Validation (IV&V). New
technologies and testing methodologies, e.g. automated security testing services offered by companies
such as Veracode, now enable organizations to independently test all of their outsourced applications
before they are accepted and deployed by the enterprise.
Fran Howarth "Why Application Security is Critical", April 2008, Quocirca
Step 4 – Set Acceptance Thresholds
Enterprises can leverage software security ratings to decide which applications are secure enough to be
accepted or deployed and which applications need remediation by the outsourcing provider before
To demonstrate setting acceptance thresholds, we will use Veracode’s SecurityReview service as an
example. Application testing with various testing techniques, combined with a scoring system based on
the Common Vulnerability Scoring System (CVSS) and the Common Weakness Enumeration (CWE)
standards, a Security Quality Score (SQS) is derived for each application. The assurance levels the
enterprise selected in Step 1 (above) is then applied to incorporate business risk and the output is
normalized to an easy to understand letter grade (A, B, C, etc…).
Thus, enterprises can set an acceptable grade – “A” for example and outsourcing providers know they
must achieve that grade for the application to be accepted. Setting thresholds and using standard-
based scoring removes the subjectivity and “gray-area” on what constitutes acceptance and clarifies the
process for both the enterprise and provider. Below is a chart that demonstrates how organizations can
use assurance levels, quality scores and testing methods to achieve an overall rating:
Step 5 – Outsource Applications to Providers with Security Certifications
Application security expertise should become a key element in the evaluation of outsourced application
partners. As part of their selection process, enterprises should ensure that they work only with partners
that implement security into all phases of development. Enterprises should look for certifications such
System Security Engineering-Capability Maturity Model (SSE-CMM)
CMM/Capability Maturity Model Integration (CMMI)
While the above are high-level quality and development programs are a good indicator of supplier
trustworthiness, they do not guarantee application security expertise and do not replace independent
security testing. Organizations should also look for application security specific testing and certifications
that have been formally validated by an independent quality seal of approval such as Veracode’s
“Verified by Veracode” assurance program.
How Veracode Can Help
Veracode Outsourcing SecurityReview provides simple, cost-effective, and automated security audits
that ensure enterprises receive secure applications from offshore development partners. Veracode
SecurityReview uses breakthrough patented binary code analysis and dynamic web analysis that is
uniquely able to detect application backdoors and can inspect entire outsourced application inventories,
including components and libraries, without requiring source code. This enables both outsourcing
providers and enterprises to implement security best practices, reduce operational cost and achieve
compliance without requiring any hardware, software or training.
As an expert in application security, Veracode is uniquely suited to
provide independent verification and validation (IV&V) of outsourced
applications without the need for costly on-site consultants.
Veracode's Ratings System produces a software security rating based
on respected industry standards including MITRE’s Common
Weakness Enumeration (CWE) for classification of software
weaknesses and FIRST’s Common Vulnerability Scoring System (CVSS)
for severity and ease of exploitability and NIST’s application
assurance levels. These universally accepted vulnerability scoring
methods provide a clear audit trail enabling enterprises to automate
the security acceptance testing of outsourced applications and meet both internal and external security
and compliance requirements and reduce their exposure to risk.
Veracode is the world’s leader for on-demand application security testing solutions. Veracode
SecurityReview is the industry’s first solution to use patented binary code analysis and dynamic web
analysis to uniquely assess any application security threats, including vulnerabilities such as cross-site
scripting (XSS), SQL injection, buffer overflows and malicious code. SecurityReview performs the only
complete and independent security audit across any internally developed applications, third-party
commercial off-the-shelf software and offshore code without exposing a company’s source code.
Delivered as an on-demand service, Veracode delivers the simplest and most-cost effective way to
implement security best practices, reduce operational cost and achieve regulatory requirements such as
PCI compliance without requiring any hardware, software or training.
Veracode has established a position as the market visionary and leader with awards that include
recognition as a Gartner “Cool Vendor” 2008, Info Security Product Guide’s “Tomorrow’s Technology
Today Award 2008,” Information Security “Readers’ Choice Award 2008,” AlwaysOn Northeast's "Top
100 Private Company 2008", NetworkWorld “Top 10 Security Company to Watch 2007,” and Dark
Reading’s “Top 10 Hot Security Startups 2007.”
Based in Burlington, Mass., Veracode is backed by .406 Ventures, Atlas Venture and Polaris Venture
Partners. For more information, visit www.veracode.com.
Annex A – Sample Outsourced Application Contract Language
This sample contract Annex is intended to help enterprises negotiate the purchase of outsourced
software development. Most software development contracts focus on features, functionality and
delivery timeframes. Additionally, they may require the developer to show a certain level of application
security competency or attempt to include liability clauses as part of the contract process. Frequently,
the parties have very different views on what defines application security and what has actually been
agreed to in the contract. The following languages lays out a simple process, utilizing independent
security reviews and industry standard benchmarks, which allows both outsourced developers and
enterprises to ensure that application security is embedded in the deliverable.
Portions of this document incorporate details from the OWASP Secure Software Contract Annex and the
SwA Working Group’s “Software Assurance (SwA) in Acquisition: Mitigating Risks to the Enterprise”
paper. Organizations are free to use the following sample language, however, as with any legal
agreement, we recommend you contact a qualified attorney prior to entering into any contract.
Sample Contract Annex
This Annex is made to _____________________ ("Agreement") between Client and Developer. Client
and Developer agree to maximize the security of the software according to the following terms.
2. ORIGIN, LIBRARIES, FRAMEWORKS, AND PRODUCTS
Developer shall disclose all binary executables (i.e. compiled or byte code; source code is not required)
of the software, including all libraries or components.
Developer shall disclose the origin of all software components used in the product including any open
source or 3rd party licensed components.
3. SECURITY REVIEWS
(a) Independent Review
Developer shall have their software reviewed for security flaws, in binary format (i.e. compiled or byte
code; source code is not required), by an independent organization that specializes in application
security, at their expense, prior to delivery to the Client.
(b) Review Coverage
Security reviews shall cover all aspects of the software delivered, including third party components, and
(c) Scope of Review
At a minimum, the review shall cover common software vulnerabilities. The review may include a
combination of static analysis of the binary code, dynamic web application vulnerability scanning, and
manual penetration testing.
(d) Issues Discovered
Overall application security ratings with aggregate number of flaws found by the independent
organization shall be reported to both Client and Developer. Detailed reports of specific vulnerability
instances within the application will only be provided to the Developer. All issues will be tracked and
remediated as specified in the Security Issue Management section of this Annex.
(e) Standard Benchmarks
To ensure that all parties have a common understanding of any security issues uncovered, the
independent organization that specializes in application security shall provide a rating based on industry
standards as defined by First’s Common Vulnerability Scoring System (CVSS) and Mitre’s Common
Weakness Enumeration (CWE).
(f) Review Frequency
Reviews shall be conducted to revalidate the software prior to delivery of any new major or minor
release prior to delivery to Client.
4. SECURITY ISSUE MANAGEMENT
Developer will track all security issues uncovered during the security review and the entire life cycle,
whether a requirements, design, implementation, testing, deployment, or operational issue. The risk
associated with each security issue will be evaluated, documented, and reported to Client as soon as
possible after discovery.
Developer will appropriately protect information regarding security issues and associated
documentation to help limit the likelihood that vulnerabilities in operational Client software are
Client and Developer shall create a mutually agreed upon remediation roadmap to resolve security
issues that are identified. Developer shall make all commercially feasible efforts to fix all high level
issues prior to delivery to Client.
5. SECURITY ACCEPTANCE AND MAINTENANCE
The software shall not be considered accepted until the independent review is complete and all security
issues have been assigned to a mutually agreed upon remediation roadmap.
(b) Investigating Security Issues
After acceptance, if security issues are discovered or reasonably suspected, Developer shall assist Client
in performing an investigation to determine the nature of the issue.
(c) Other Security Issues
Developer shall use all commercially reasonable efforts consistent with sound software development
practices, taking into account the severity of the risk, to resolve all security issues as quickly as possible.