Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Verify the application security of your 3rd party development

‎06-27-2013 08:39 AM - edited ‎09-16-2015 02:00 PM

You're smart.  You have meticulously crafted application development contracts with an off-shore development company.  Your contracts include very detailed contractual language in the agreement with the third-party to specifically call out the type of security testing and standards that they will be held to…and the consequences of not meeting those standards or Service Level Agreements (SLA).


Question: After all of the hard work you have put into your application development contracts, how do you verify that the SLAs you have laid out are being met?


Answer: Implement an application security gate with HP Fortify


An HP Fortify application security gate can be set up for all third-party code to pass through.  It ensures that application security criteria are met before the code is accepted into your company. The results can be rolled up into a single dashboard with your other Fortify application monitoring (SCA, WebInspect, Fortify on Demand) so that you have a single place to assess your application security.



The goal of outsourcing development is to create more cost-effective applications. Security and quality should be equivalent to what you develop in-house.  Some key elements of establishing quality outsourced development:


1.   Ensure you have application security requirements and SLA’s in your contract

      If you do not already have these in your contracts you will need to renegotiate them with your third-party vendor. This may result in sticker shock so it is best to negotiate security requirements and SLA’s on initial contract assignment.  The investment up front is far better than the potential damages from not doing it.


2.   Establish an application security gate to test and measure SLA performance

      This will ensure that the SLAs agreed to in the contract are actually being met. It is much better (and more cost effective) to find security issues at this stage rather than after you have accepted the code and it has been pushed to production.


3.   Fortify solutions can automate security gate testing and measurement

      Establishing this security gate with Fortify means that the process can be automated and is repeatable. This not only saves time but also creates standardized metrics which can be tracked and applied to SLA adherence.


Don’t forget to keep your house clean too!


Keep in mind that if you do not have application security standards set with your internal development shop you will need to standardize and measure security there as well.  We see the fundamentals of governing application security apply similarly to in-house and outsourced developed applications.  A key difference in the mechanics of governing application security is whether the requirements are formalized in a company policy (in-house) or an outsourcing contract (outsourced).  Regardless of where the applications are developed, traits of effective governance are to have a security gate and to apply automation to measure and report.


I guess now is the time to ask yourself if you are holding your third-party application vendors to the same security standards as your internal development?


For more information on how Fortify can be used to help you manage the application security of your outsourced (or in-house) application development visit:



0 Kudos
About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Jun 7-9
Las Vegas
Discover 2016 Las Vegas
Discover 2016 in Las Vegas, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all