Skip to contentCYBERINFO
|

Control 8.30 : Outsourced Development

Summary

The organization should direct, monitor and review the activities related to outsourced system development. This ensures that third-party developers adhere to the same security standards as internal teams, preventing the introduction of hidden vulnerabilities.

Applicability

In-Scope: Mandatory for organizations that use contractors, agencies, or offshore teams for software development. It addresses the risk of the untrusted developer and the security of the offshore environment.

Out-of-Scope: Only applicable if 100% of development work is performed by internal, full-time employees.

Implementation Guidance

Microsoft 365 / Entra ID

  • Secure Access: Provide outsourced developers with managed identities in Entra ID and require them to use Dev Box or Azure Virtual Desktop (AVD) environments to prevent company code from being stored on unmanaged external hardware.

  • Contractual Alignment: Include the organization's Secure Coding Standards and right-to-audit clauses in all development contracts.

  • Independent Verification: Require outsourced teams to provide their own security test results and perform an internal final security review of all delivered code before it is accepted.

Evidence Checklist

  • Development Agreements: Signed contracts containing specific security and confidentiality requirements for outsourced code.

  • Oversight Records: Documentation of periodic meetings or code reviews performed with the outsourced team.

  • Delivery Sign-off: Evidence that the organization formally reviewed and tested the delivered software for security compliance before production deployment.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How does the organization verify that an outsourced developer is following your internal secure coding guidelines?

  • What technical controls prevent an external contractor from copying your entire source code repository to their own personal storage?

  • How do you ensure that the outsourced team is not using unvetted or vulnerable third-party libraries in your project?

  • Can you provide evidence of a recent security audit or code review performed on a delivery from an external development partner?