“One of the common pitfalls of outsourcing NEBS development,” according to Anh Nguyen, is “not clearly defining and communicating the business's security requirements to the supplier, a panel of security experts have warned.”

Nguyen quotes Gunter Bitz, head of product security governance at SAP (News - Alert), as saying "If you outsource then don't tell the development partner what data the application will be processing, they just don't know anything different. The contractor will develop the application as required and nothing else."

Nguyen spoke at the recent RSA (News - Alert) security conference in London. One can imagine the plethora of hackers seeking to crash the event. No reports of any significant successes.

Penny Lane, chief information security specialist at Visa and a lady no doubt sick to death of The Beatles, whose background includes a position as senior cryptologic mathematician at the US Department of Defense, agreed: "The biggest thing to take into account is to never assume anything. For example, if they [the suppliers] advertise that its service is used by the DoD, or DoD-blessed, forget it. It does not mean it is secure," she said to Nguyen.

Lane told Nguyen that ongoing requirements are also important, throughout the software's entire life cycle. "Say, for example, with software for a [fixed-term] marketing campaign - there should be specific guidelines for what is going to happen when the software reaches end of life, how it is going to go away."

She also cautioned folks to “watch out for QA [quality assurance] sites on the Internet,” Nguyen reported. “If there's an administration website open over the Internet it's just asking to be hacked. They need to have at least IP filtering. Make sure they go away when production goes away.”