Latest news
Balazs Fejes joined EPAM Systems in 2004, when Fathom Technology merged with EPAM Systems. Prior to co-founding Fathom Technology Mr. Fejes was a chief software architect/line manager with Microsoft Great Plains (Microsoft Business Solutions).He has won numerous awards for programming excellence and has previous experience working in the US and Russia.
In this interview, Mr. Fejes discusses the security implications of outsourcing, privacy breaches and compliance laws.
What is the outsourcing industry neglecting or ignoring in terms of security? What areas need more work?
Everybody started to focus on getting various certificates, proving that they comply with security standards, this is just half the story, focusing on how you work and how you create your deliverables, but what people overlook is the security of the actual code which has been developed. Many projects today overlook the importance of proper threat analysis and secure code development standards. Or they claim they follow those, but never really check into it or audit for it. Due to the currently increasing pressure to deliver solutions cheaper and faster, this is one area which is regularly cut from the today’s projects.
EPAM has dedicated staff for auditing the code which we deliver to try to address any architectural security weaknesses and adherence to the secure coding best practices, we are doing it continuously using code analysis tools, tuned for secure coding, and regular peer reviews.
One critical aspect of IP protection, very much overlooked today, that is whether the source code created by the engineers, is really a genuine product or not. The abundance of various open source projects and the search engines indexing them like Google’s Code Search or Krugle, tempts engineers to take code from the these projects and use them, not understanding that open source doesn’t mean free. Most outsourcing companies do not have proper control over this; do not ensure the safety of their clients from license infringements.
EPAM employs rather sophisticated release and scanning processes to ensure that the code we deliver does not contain license infringements and we comply with the licensing terms required by our clients, ensuring it is part of our continuous integration approach, comparing the code created by our developers with millions of projects.
During the past year we've heard several stories of privacy breaches related to poorly implemented security policies and practices in outsourcing companies. How do you manage the complex security issues?
Spotlight
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
Application vulnerabilities still a top security concern
Posted on 16 May 2013. | Respondents to a new (ISC)2 study identified application vulnerabilities as their top security concern. A significant gap persists between software developers’ priorities and security professionals’ concerns.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
