Taking bets on secure code

A rumor being bandied about in the industry tells the tale of a company new to the information security marketplace outsourcing its software development for both its consumer and enterprise security solutions to programmers in China. The same company also may be doing or currently is trying to do business with the federal government. If this chatter doesn't make an IT security practitioner cringe a little, the company also provides some of the technology underpinning its own offerings to a larger, longer-standing security vendor.

I have yet to verify any of the chit-chat about this organization, which may or may not have some truth to it, so I'll decline naming names. But, even if this talk of handing over coding of security products to workers in a country that has made headlines for alleged state-sponsored attacks turns out to be balderdash, it does reveal something that more and more organizations will have to think about in an economy that is still proving challenging to many. When looking at the cheapest labor to help in the development of products – security or not – what should a vendor's executives take into consideration?

In a world of rising cyberespionage – both nation-state sponsored and crime-ring led – and growing evidence of backdoors being placed in software as products make their way through an often complex global supply chain, outsourcing any stage of a product's development must be a decision that's reached after much considered thought and executive debate.

Of course, outsourcing coding needs to both offshore and onshore development centers is a widely accepted and practiced business model nowadays. It frequently saves money and often helps shorten a solution's time to market. But, problems still exist, some of which can make what appears to be a cost-savings decision for a company morph into a horrifically expensive one when a range of coding-related problems is discovered and hopefully fixed.

Thinking again about the possibility that an IT security vendor may be outsourcing the coding of its security solutions to a country that has developed a notorious reputation because of its reported risks as a supplier – from contaminated food to malware-riddled software – can prompt anyone to think twice about purchasing their products. Then again, after some due diligence on the parts of potential clients (including the federal government), the vendor could end up leading the way in demonstrating how an organization can assess the risks its overseas suppliers present and establish a thorough and practiced business plan that includes strong checks and balances to vet solutions before they are provided to customers.

Or…it could go the other way.

Whatever the case, if potential customers find out the code for the very solutions they are looking to buy to protect their own systems is written by contractors in China, they at least will want some reassurances that it and the developers that wrote it are vetted thoroughly. On the flipside, armed with that knowledge, potential clients just might skip this company over for a different vendor that creates all the bits of its products internally or uses coding pros who are situated somewhere else other than China. I guess, that would be the gamble for being open about one's internal business practices.

The trickier bet is the one this company is rumored to be placing – that no one finds out by whom and where the code behind their information security solutions is developed, which may, in the end, lose them a heck of a lot more than only a few customers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.