Outsourced Development
Description
The organisation shall direct, monitor, and review the activities related to outsourced system development.
⚠️ Risk Impact
Outsourced developers inherit your attack surface. Code they write becomes your liability. Without governance, outsourced code can introduce backdoors, weak crypto, hardcoded credentials.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.
🔧 Remediation
Outsourced development requires: contractual security obligations, SAST/DAST on all delivered code, code review by internal team, secret-scanning, no production access. Document.
💀 Real-World Attack Scenario
A consulting firm built a customer-facing portal for a financial-services client. The delivered code had hardcoded API keys (test environment) committed to the customer's repository. After deployment, the keys were valid against production; an attacker found them via repo scanning, accessed production data, $2.4M impact.
💰 Cost of Non-Compliance
Outsourced-code breaches: avg $4.55M (IBM 2024 supply-chain).
📋 Audit Questions
- 1.Contractual security obligations for outsourced dev?
- 2.SAST/DAST on delivered code?
- 3.Code review by internal team?
- 4.Outsourced devs have production access?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Trusting outsourced code without security review
- ⛔Allowing outsourced devs direct production access
- ⛔No documented contractual security obligations
📈 Business Value
Outsourced-dev governance closes a category of supply-chain risk.
⏱️ Effort Estimate
Per-engagement contract + security review
EchelonGraph scans for hardcoded secrets + supply-chain risks
🔗 Cross-Framework References
Automate ISO 27001 A.8.30 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →