Should I give development to a remote team? Today everyone felt how difficult it is to put together an in-house development team. And not always an in-house team is a possible way out. There are plenty of situations when connecting a remote, ready for rapid start team is a necessity. Organizing the proper and completely safe development on your own side requires significant financial investments in technical equipment and in-depth study of the subject and when you are on deadlines for the implementation of new modules, this is ultimately not an option at all.

If we are talking about the development by a third-party contractor – outsource. How to verify his decency and competence? Can a contractor provide complete security? Is it possible to ensure the necessary level of security by working with a remote team? What must be spelled out in the contract? And what will it take to sleep soundly? 

Let’s sift all the factors through. And you will be sure about your actions. What we recommend doing to ensure safe development and how processes should be configured. We divided all basic security measures within the contractor’s company into organizational and purely technical.

Organizational security measures.

Staff recruitment. In the case of data or equipment theft, unauthorized information access or interference in the system there is the risk to the profit lost and financial losses. In addition, there is a chance to lose key employees and teamwork. Without them, it is difficult to survive the crisis, restore the image and positive dynamics of enterprise development and revenue growth. Thus, the person, developer, manager is the main factor. We advise you carefully to select team members, empower the security department to collect feedback from previous jobs and customer reviews.

NDA (non-disclosure agreement) – an agreement with the customer. This is not about a common NDA. In projects with high data security requirements, it is necessary to sign an agreement with each team worker who has production data access. This applies to non-disclosure, confidentiality, and liability of all involved parties.

Organization of workspace access. When it comes to ensuring the business and employees’ safety, an access control system is the most effective way to prevent unauthorized entry, restrict some employees’ entrance to prohibited areas and control the access of the whole team. We strongly recommend organizing automated access control to the territory and to the internal premises of the office for employees and visitors taking into account the assigned access rights. An important element of security is the global re-entry control, which allows you to stop the pass usage after it is transferred to unauthorized persons or as a result of an abduction.

Regulated access to personal computers. Reliable identity recognition is critical if you need to control the users’ access rights to certain information in order to prevent its damage or loss. In our practice, we have come to the use of computers with biometric authorization. Using biometric readers, we can see who and when used this or that computer, entered the server or other room. Face recognition authorization prevents illegal access to a working computer, even if access codes have been stolen. Another point concerning the main biometric characteristics that allow identification is the analysis of keyboard handwriting. The system collects information about each employee: analyzes the speed of keystrokes, pauses between keystrokes and hold time. It creates an individual portrait. If a third party uses an access code, for example, another employee or an attacker, the system will be able to respond to an unauthorized attempt to enter by notifying a security specialist or denying data access.

Monitoring and each user activity analysis within the network using special systems. First of all, this system determines the possible risks: which employee works with valuable information, what applications he uses, whom he communicates to. Thanks to the algorithm’s actions, it is possible to predict the potential risk of the company if the employee is unreliable and also to predict risks and find potential “holes” in the information security system. Вehavior that deviates from the individual norm is a signal about a violation of the security perimeter.

Video surveillance is an essential part of a modern security system. Companies want more and more to protect themselves from unwanted intrusions and attacks. Video surveillance is an information system that provides visual information that allows you to either restore the picture of an incident or get the necessary data about events, processes, and people. The job profile directs whom, how and under what circumstances it is possible to report personal data (custom credentials) for corporate networks connecting. Instruction is an integral aspect of high-quality and reliable development.

Passing specialized courses and owning certificates for software development. Teamwork experience in accordance with standards: SEC, FINRA, SOC 2, ISO / IEC and others. Choosing the contractor company, be sure to ask: what certificates does the team have to speed up the creation of safe development processes.

Technical security measures.

Distributed data access rights. An obligatory component of development security is access rights (permissions/restrictions) for working with databases. They are necessarily distributed by assigning predefined roles to users and groups. The impossibility of copying and making changes to the data is ensured. There is also developers’ restriction of access to the test environment and to version management.

Securing your local infrastructure. The local infrastructure allows you to quickly test and debug features. When developers produce new features, they can access production data through an intermediate unit using a secure VPN connection. We also recommend that you configure secure VPN access for external (trusted) services and servers. Staging boxing is not a universal solution in testing, as the process becomes too complicated. Sometimes you may need to deploy a local test environment. Keep in mind that to eliminate internal threats of data corruption, it is worth recording all actions. It is also advisable to limit the transfer of data outside the company network and storage on an external media.

Encryption. All stored on computers and laptops data must be so encrypted that even in the event of theft they cannot be used. It is necessary to provide data encryption protocols, encryption of the transfer protocol of integration buses, and so on.

Architectural solutions, architectural protection – personalization and posting information are separated. For example, in medicine, this may be the storage of personal information about the patient separately from the history of his illness.

Production Data should be denominated so that it is impossible to trace the data owners.

Code-based security. According to statistics, most sites and software are vulnerable due to errors in the code. The code can be checked with a third-party company, but this is an additional cost. The ideal option is the implementation of safe development tools on the contractor’s side. Requirements for code verification and safe development should be included in technical requirements. For example, it should include: conducting static code analysis at the development stage and code acceptance within the SDLC. Dynamic analysis (DAST-analysis, Dynamic Application Security Testing) of developed applications. Conducting an analysis to search for the so-called zero-day vulnerabilities, whose signatures and patterns are unknown. While transferring the finished software, should be prepared a report for the analysis of its security. On the developer’s side should be the analyzer adapted for embedding into the development environment, thereby providing the ability to check the code for vulnerabilities at each stage of the software life cycle. It’s enough for the client to have the same analyzer as the developer, but already in a lighter desktop version that just checks the final result (ready-made application).

What is worth noting? This is not a complete list of steps that can be taken to organize safe software development. We will be very happy to tell you more. If you have any questions remaining unresolved, please ask us and let’s share experiences and improve development security.