Onboarding a reliable software development partner solves so many problems. A stable and elastic partner will enable you to pivot, flex, and speed up or down safely. When outsourcing software development, passing security requirements is an overwhelming and important step to take with your vendor, IT team, and security group.
The mark of an organized, professional software development partner is one who can produce evidence of their ability to ensure security on multiple levels: your data, the source code, how the software is designed, and the environment or infrastructure where the software lives and teams operate.
Here’s a comprehensive guide to evaluating vendor security. We also provide information about our security practices here at Integrant.
NIST CSF Compliance
Cyberattacks are becoming increasingly complex and in the past there was no standard set of guidelines used to address this growing threat. In 2013 President Obama called for the creation of standards and the National Institute of Standards and Technology (NIST) responded with its Cybersecurity Framework (CSF) in 2014. In 2017, President Trump issued an executive order requiring the US government to implement NIST CSF standards. In December 2017 NIST published an update, Version 1.1, leveraging feedback collected from online forums, workshops, and organizations specializing in cybersecurity.
NIST CSF isn’t just for government agencies. Every business can and should adapt and adopt the best practices set by the NIST. Integrant, partnering with its customers and by engaging the services of third party security consultants, has been modifying and improving its security practices since the first version was published in 2014. We are currently in compliance with Tier 4, also known as the adaptive tier. This means we proactively detect threats, predict issues based on current trends, and have fully adopted NIST CSF.
SOC 2 Type II Certification
The Service Organization Control (SOC) 2 Type II certification means an independent, third party has reviewed, examined, and tested a company’s security controls. Security experts agree SOC 2 Type II is the best report for assessing cybersecurity.
SOC 2 looks at access, availability, system processing, data protection, and the handling of personal/confidential information.
Type II is an important distinction. If a company only earned Type I certification it means they claim to have controls in place, but their processes and infrastructure have not been audited or reviewed. An independent assessment requires anywhere from six months to a year of monitoring.
Passing SOC 2 Type II means the organization meets strict requirements set by the American Institute of Certified Public Accountants AICPA. Software built by a SOC 2 certified firm is developed, reviewed, tested, and released following the AICPA Trust Services Principles. When you work with and grant access to a company like Integrant with SOC 2 Type II certification you know you’re protected against data breaches.
Ask your vendor of a copy of the SOC 2 Type II audit report. We would be happy to supply you with a copy of ours.
Annual Audits and Client References
Ask how often the vendor undergoes internal and independent audits. We secure the services of an independent, certified Security Officer with over 20 years of experience in managing complex computing environments. The Security Officer performs SSAE 16 review, auditing standard for service organizations, to ensure that we comply with our security policies and controls. We undergo this review annually.
Clients of ours in financial services require audits that go beyond the requirements of SOC 2 Type II. Our clients utilize customized security frameworks that include standards from SOC 2, NIST, and ISO. We must pass annually to continue to serve and happily comply. The stages of the annual review by our clients include self-attestation, vulnerability test summaries, requests for extensive documentation, interviews, and onsite assessments.
Understanding the vendor’s experience in high compliance, highly regulated industries is another good data point to review.
Secure Digital Touchpoints
When evaluating vendors for a software development project, your due diligence involves asking questions around code management and connectivity.
Whether you plan to use a vendor’s infrastructure or your own, evaluating the dev/test environment, code quality resources, communication tools, and security processes is a great way to gauge their preparedness. Do they use static code analysis tools? If yes, which ones and why? What project management or electronic board tools do they use today? How flexible are they in learning your tools if they don’t use the same ones you do?
Ideally your vendor will adopt the tools, security requirements, and preferences of your team and organization. Learning how flexible and open they are is indicative of what type of partner they will be. Will you always have access to your code, your IP? Can you pull it anytime you need it? Are they open to working in your environment? Do they have their own environment that is ready for you to use?
The best vendors will have options and you will be able to pick the one that works best for you. At Integrant the breadth and depth of our resources allows us to support multiple code management and connectivity environment. Following are a few models we offer and the pros and cons of each.
Option 1: Code lives in your environment
In this situation the vendor team works within your environment using your tools. The external team can access your servers using a client-based VPN solution with appropriate access to only systems that are needed. This is also typically how client employees connect from home.
Or code is developed locally and then appropriate files are moved into a secure shared landing zone.
Things to Consider
- If you have a robust internal environment, this option allows you to leverage it. If you’re a startup or lack the “latest and greatest” in your internal environment, you may not have access to tools like static code analysis, continuous integration, continuous delivery, etc.
- This option accommodates any internal security protocol requiring that all source code reside within your walls. Your IT team will have full control and the ability to monitor and audit all traffic. There is no way to copy or move data, source code, etc. Nothing leaves your environment.
- One potential downside to consider is any latency or connection issues. At Integrant we have stable, high speed internet connectivity at our facilities. It’s a top priority for IT team. Review this with your vendor to ensure no loss in productivity.
Option 2: Code lives in the vendor’s environment
If your vendor has supplied ample evidence of security controls, there may be significant benefits to allowing the code to live in their environment. This is an option to consider if the vendor’s development infrastructure offers tools that are not readily available in yours. At Integrant, we offer the following:
- Continuous code quality inspection platform
- Source code management
- Reporting and dashboards
- Requirements and project management
- Automated builds, continuous integration, auto deployment, release management
- Test management
Things to Consider
- You might choose this option if you’re a startup with few or no software dev/test related resources.
- Or you might be part of a large company with a robust IT department and it might be easier for you to have us handle source code than to go through the sometimes cumbersome, time-consuming process of getting us access to your on-site environment.
- With this model you can start right away and avoid investing in tools and training associated with code management and quality.
However, you want to watch out for vendors who will hold your code hostage. Verify you have 24/7 access to your code. At Integrant we address code ownership concerns in several ways:
- Our contract with our clients states clearly that all code is the property of the client.
- Due to our internal process and tools, the client has 24/7 access to the environment and can download current code on a daily basis.
Data management and handling
From a development and testing perspective, your vendor team can work with data schemas/objects, logic guiding how the data is populated, and dummy or scrambled data. When you are ready to deploy, the team can travel to work onsite, or your internal team can manage the deployment. Roughly 75% of the development will be conducted offsite and 25% onsite. Similar to the deployment process, critical issues and maintenance can be managed by onsite staff.
Option 3: Hybrid Environment
In this scenario we will leverage cloud-based applications. This option provides access to all the tools available in your vendor’s development environment, but the code is parked in the cloud via GitHub, BitBucket, or a similar third-party repository. The vendor team uses the same systems and is assigned usernames and passwords with appropriate permissions for these applications.
Things to Consider
- The same security considerations as Option 2 are in play, but you will have full access and control over your code. You have the option to give users read-only access – they can’t change the code directly except through pull requests. You can also shut down access to users as needed.
- Use good security practices, like second factor authentication, when using a third party repository.
Best Practices in Designing and Building Secure Applications
As .NET developers, we follow Open Web Application Security (OWASP) guidelines. Using tools like SonarQube enables us to effectively follow OWASP standards. We also regularly undergo and pass penetration testing conducted by neutral third parties.
For full security testing we recommend leveraging specialists in application security testing to ensure an objective, neutral, thorough evaluation.
Security Begins with People
Everyone is full-time Integrant employee and you will know every member of your team. Here are some of the practices documented in our SOC 2 Type II report related to our people:
- Human Resources management utilizes a new hire checklist to ensure that specific elements of the hiring process are consistently executed. A copy of the new hire checklist is maintained in the employee file.
- Comprehensive background checks are performed by an independent third party for certain positions as a component of the hiring process.
- Employees must sign a confidentiality and non-disclosure agreement to not disclose proprietary or confidential information, including client information, to unauthorized parties.
- Management maintains insurance coverage to protect against dishonest acts that may be committed by personnel.
Beyond hiring ethical people and clearly communicating expectations around security, what certifications do they hold? In addition to providing regular training, here are certifications we hold: GIAC-GWEB, GIAC-GSSP, CSSLP
Ask Whether Policies Apply to Subcontractors
Another important question to ask is whether your vendor leverages the services of contractor or subcontractors for development and testing. If the answer is yes, verify the same guidelines are followed for everyone who is touching your code, data, and IP. Are they performing background checks? What type of hardware (laptops) are they using? Where are they working from (secure network)?
At Integrant everyone is a full time employee. On the rare occasion we engage a contractor for specialty services such as graphic design, we follow the same security practices, even for people who do not have access to your data or code.
It’s all about asking good questions and requiring evidence.
- What security frameworks does your vendor follow?
- What certifications do they hold?
- Do they have experience working in highly regulated industries?
- Where will your code live? How easy will it be for you to access the code?
- How prepared, secure, and professional is the vendor’s work environment?
- Do they perform background checks, provide training, and require contractors to undergo/follow the same policies and procedures as full-time staff?
How your vendor handles your code is a good representation of how they’ll handle the business relationship.