When considering outsourcing all or part of the development process, there are several overriding security issues that arise. All of these concerns require careful planning, execution and monitoring to verify that they are addressed prior to acceptance of the software from the outsourcer. With growing emphasis on the need for application security, organizations are beginning to explicitly identify the security requirements of an outsourced project up front, and setting acceptance criteria within the contract itself to ensure the security of the source code delivered. By requiring proof that outsourced software has undergone a rigorous code review, organizations can reduce their liability, prove compliance with reporting and audit requirements, demonstrate data integrity, and improve the availability and stability of operations.

This paper will discuss the need for addressing security concerns in outsourced applications, outline a framework for addressing those concerns, explore the role of source code review to assess and certify outsourced applications, and provide a sample contract addendum for including secure code requirements in RFP's and outsourcing contracts.