Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house, while portions of the solution will be outsourced to an external software vendor. The project team is evaluating software outsourcing candidates. As a security professional, which of the following is the least concern?
A. The financial history
B. Foreign ownership, control, and influence
C. Key escrow agreement
D. Right to conduct code reviews
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Key escrow agreement.
- The financial history of outsourcing vendors is crucial as the vendor with poor finance is more likely to close down. It leads to project failure and lock-out from the vendor, no technical or maintenance support, or unavailability of source code.
- The vendor may be owned, controlled, or influenced by a foreign adversary country. This is the concern of foreign ownership, control, and influence (FOCI).
- To avoid back doors, logic bombs, or any other malicious logic, the right to conduct code reviews written in the contract is a major concern.
- Code/Software escrow is more important than key escrow, as not every project will involve cryptography.