Help Net Security – by Mirko Zorz
Balazs Fejes joined EPAM Systems in 2004, when Fathom Technology merged with EPAM Systems. Prior to co-founding Fathom Technology Mr. Fejes was a chief software architect/line manager with Microsoft Great Plains (Microsoft Business Solutions).
He has won numerous awards for programming excellence and has previous experience working in the US and Russia.
In this interview, Mr. Fejes discusses the security implications of outsourcing, privacy breaches and compliance laws.
What is the outsourcing industry neglecting or ignoring in terms of security? What areas need more work?
Everybody started to focus on getting various certificates, proving that they comply with security standards, this is just half the story, focusing on how you work and how you create your deliverables, but what people overlook is the security of the actual code which has been developed. Many projects today overlook the importance of proper threat analysis and secure code development standards. Or they claim they follow those, but never really check into it or audit for it. Due to the currently increasing pressure to deliver solutions cheaper and faster, this is one area which is regularly cut from the today’s projects. EPAM has dedicated staff for auditing the code which we deliver to try to address any architectural security weaknesses and adherence to the secure coding best practices, we are doing it continuously using code analysis tools, tuned for secure coding, and regular peer reviews. One critical aspect of IP protection, very much overlooked today, that is whether the source code created by the engineers, is really a genuine product or not. The abundance of various open source projects and the search engines indexing them like Google’s Code Search or Krugle, tempts engineers to take code from these projects and use them, not understanding that open source doesn’t mean free. Most outsourcing companies do not have proper control over this; do not ensure the safety of their clients from license infringements.
EPAM employs rather sophisticated release and scanning processes to ensure that the code we deliver does not contain license infringements and we comply with the licensing terms required by our clients, ensuring it is part of our continuous integration approach, comparing the code created by our developers with millions of projects.
During the past year we've heard several stories of privacy breaches related to poorly implemented security policies and practices in outsourcing companies. How do you manage the complex security issues?
EPAM believes that the key to manage complex security and compliance issues is automation, implementation of the security policies and practices on the infrastructure level, and building your security infrastructure based on your engagement model. Our security infrastructure is centered on project membership, controlling access to:
source code repository
project management system
development and test servers
physical access to areas
To further ensure segregation of projects, EPAM implements the security on the network level too by constructing and segregating the network to project specific VLANs.
Plus we make sure we aid our physical security with the right level of technology, such as proximity cards, CCTVs, fire and other environment sensors, and making sure all these are in sync with our projects, and customer requirements. EPAM has security setup templates to cover the various needs of our customers, and we are making sure that every time a project gets imitated, we apply the necessary template for aiding it by the infrastructure.
And of course you need to have large enough and powerful enough dedicated staff who audits our compliance to our security policies and procedures, beyond having regular external audits too from ISO27k or from SAS70 stand-point of view.
With outsourcing becoming very popular, has your strategic focus changed from previous years?
Yes it changed, via becoming popular, outsourcing made certain technologies and services a commodity, so to be on the edge and to be able to deliver value added services, we had to move our technology, process and services focus, and address subjects, such as:
SLA based services
Service Oriented Architecture
Open Source Component Usage/Open Source Licensing issues
What advice would you give to a company interested in outsourcing some of its workload but worried about security compliance laws?
Beyond just following the standard advice of formulating your security requirements and including them in your due-diligence questionnaire and in the contract, go beyond that. Include the possibility of auditing the security regularly at the provider’s premises, request IDS (Intruder Detection System) installation and have the logs of it sent to you regularly, require usage of source code scanning software to detect IP rights infringements and select your outsourcing destination based on your regulatory and compliance requirements, outsourcing to EU and inside NATO for example provides a much higher regulatory and security compliance then to outsource to India for example, this is one of the reasons EPAM follows a geo-diverse growth strategy to be able to serve our clients in jurisdictions/geographies, which best suit their needs.
And before starting the first engagement, go and look for yourself, do the first audit, everything looks perfect on PowerPoint.
Don’t forget about business and disaster recovery, look and ask for records of DR testing, check infrastructure availability statistics and records (electricity, internet connectivity and availability, phone availability, server availability).
What are your clients most worried about?
In the last 6 to 12 months, clients are getting more worried about staff turnover and security, mostly because of their experience with India, where staff turnover reached critical level, compared to less 10%, which is maintained by EPAM in the last 5 years.