Any decision to outsource Web application Security or penetration testing does not exempt any organisation from responsibility. Risk is never transferable, so it should not automatically be assumed that outsourcing will solve all problems. The biggest benefit however may be a financial one because when operations are completely outsourced the financial liability may also shift and insure the organisation against possible massive losses in the event of a catastrophic security breach.
But there are several points which need to be borne in mind before making a final decision regarding outsourcing some or all elements of a Web application Security program.
- Certainly, the staffing headcount involved in vulnerability management programs will be reduced but the main issue to be concerned about is whether or not you have defined your requirements sufficiently to ensure an effective outsourced solution.
- That's why it is important to develop a clear and concise service level agreement, normally developed in consultation with legal advice, to ensure a sound foundation for the outsourcing relationship and a clarification of responsibilities and remedies which arise out of the terms of the contract.
- Security is an issue which should not be overlooked. Outsourcers gain access to potentially sensitive personal data and this is not without risk. Remember that once an outsourcer has access to data it should be part of the contract to have the data shared back with you. This simple point which has been overlooked in the past has resulted in expensive legal arguments.
- Apart from SLA's, you need to be definite about how the metrics will be provided and evaluated. In other words, you need to make sure you have sufficient data to measure the outsourcers performance. That's why it is important to clarify timeframes and expectations as well as costs. The metrics need to be defined and agreed upon clearly at the start of the contract.
- Naturally, some elements of your business organisation will be commercially sensitive and you may not wish to outsource elements of a vulnerability management program which involves the disclosure of this information. Knowing exactly what to outsource is an absolutely key decision.
- How to choose the correct outsourcing specialist is another issue and you need to source advice about the expertise each organisation claims to offer. Consulting companies can be hired for this purpose to evaluate potential providers and such strategic security consultation firms are well worth the money during this process. It's hard to tell the difference between a good and bad computer security expert, that's why independent assessment can be of great assistance.
It is certainly possible, and in many cases an attractive financial option, to outsource various elements of a penetration testing program. The important point to remember is that the guidelines and agreements as well as contractual obligations, including timeframes, must be clearly defined before the contract begins so that disappointment can be avoided.