EquaTerra, EquaSiis and Veracode Partner to Enable Higher Security Standards to Combat Risks in Software Development and Management Outsourcing
Veteran industry, government security and risk experts partner to implement security acceptance controls and improve security quality in outsourced software
London, Houston, New York and Boston – 20 April, 2009 – An initiative to help enterprises, government agencies and application outsourcing service providers better ensure the integrity of their data and security of their software, was announced today by industry leading management consultancy and sourcing advisor EquaTerra, sourcing software and services firm EquaSiis, and Veracode, provider of the world’s leading Application Risk Management Platform. The collaboration between the three firms is squarely aimed at combating the increasing risk that data will be compromised by application security vulnerabilities in software, including those managed by third party outsourcers. The result will be new and innovative governance models that include contractual terms to mandate security verification, best practices, security acceptance criteria and an overall risk model for improving the security of outsourced software. EquaSiis, as part of this initiative, will enable and educate outsourcing service providers through training, guidance and best practices
“Data and application security have become too critical in an era of global sourcing to be left to chance or addressed using yesterday’s tools, techniques, terms and conditions”, said Mark Robinson, COO at EquaTerra. “We are taking the initiative to help buyers mature their application sourcing and governance program and embody the security services, capabilities and contractual terms available in the market today.”
While efforts to protect data and software applications are not new, most approaches have become increasingly ineffective, as they have not focused on the core issue – the quality of the delivered application code itself. Organizations continue to spend more on data and application security and get less in return for this investment. “Failure to adequately secure sensitive customer, corporate and governmental data and intellectual property is not only a serious business risk, it is one that has national security implications as well,” said Jack Tomarchio, Principal, the Agoge Group, and former Deputy Under Secretary for Operations Office of Intelligence and Analysis, Department of Homeland Security.
Analyst firm Gartner has forecast the application outsourcing market to surpass $81 billion by 2011[1] and has been a strong advocate of implementing proper security requirements into outsourced development contracts for some time. A recent report from Quocirca has found that over 60% of companies that outsource the coding of their critical applications do not mandate that security must be built into the applications.
“Gartner recommends that application security testing be mandatory in all outsourced development initiatives,” said Arabella Hallawell, Gartner Research VP. “Outsourced contracts should specify terms and conditions that detail how security is built into the development lifecycle; when, how and by whom security testing and validation is performed; and which issues are to be fixed within a certain timeframe.”
Collectively EquaTerra, EquaSiis and Veracode possess an unmatched set of capabilities to address data and application security challenges with a more holistic and multi-dimensional approach. Veracode’s SecurityReview Application Risk Management Platform, EquaTerra’s global sourcing expertise and EquaSiis’ outsourcing governance software will enable enterprises to mandate and independently verify security quality, with metrics, tools and services to monitor performance and manage compliance.
“As corporate technology requirements continue to evolve, businesses more and more find themselves looking at outsourced development to provide solutions,” said John Bird, VP at Chevy Chase Bank. “Today, the security quality of outsourced code is largely unknown and the risk inherent in the application belongs to the enterprise. Standard, sound and verifiable metrics, independent testing, and acceptance processes for security are critical elements of software development and should be embedded in outsourcing contracts. Customers and stockholders will demand that these risks be effectively addressed for their protection and that of their investments”
“You can outsource development, but not the liability associated with ensuring your employee and customer data is secure,” said Matt Moynahan, CEO of Veracode. We are excited about this important industry collaboration to empower enterprises with an easy and cost effective solution to govern the security quality of outsourced application development. In our experience, security of third party code is typically low on first verification, but with proper governance and services, remediation time can be shortened and quality dramatically improved. This partnership will enable organizations of all types to ensure that their software infrastructure is secure, while continuing to enjoy the benefits of their global outsourcing efforts.”
[1] Gartner Outsourcing & Vendor Management Summit, Applications Services Scenario: 2008 to 2012 — Trends and Directions, Dane Anderson, May 19-21, 2008
