I am looking for some white-papers that discuss security issues associated with
outside contractors doing software development. I am especially interested in those
issues that should be addressed when the development is done by foreign parties that
may ultimately pose a security risk.
CERT/CC has their "Security for Information Technology Service Contracts" publication,
but that document really doesn't have the details needed in several critical areas.
For example, what are the processes that should be in place for:
Code reviews?
Configuration management?
In-house oversight?
How do you provide test data that is representative of 'real' data, but which reveals
no sensitive information?
How do you develop software that reflects actual business processes without revealing
actual sensitive business process information?
ETCETERA!
Anyone aware of other publications that discuss these types of issues?
Does anyone have any actual in-house policies that address these issues?
What are other issues that require consideration? (that are not mentioned above, or
covered in the CERT document)
Thanks in advance for any and all help!
Jon R. Kibler
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
