The risk associated with malicious functionality in outsourced application development is that the

vendor may introduce unauthorized or harmful code into the enterprise’s system, which could

compromise its security, integrity, or performance.

To mitigate this risk, the enterprise should perform an in-depth code review with an expert who can

verify that the code meets the specifications, standards, and quality requirements, and that it does

not contain any malicious or unwanted functionality.

A code review is a systematic examination of the source code of a software program, which can

identify errors, vulnerabilities, inefficiencies, or deviations from best practices. A code review can

also ensure that the code is consistent, readable, maintainable, and well-documented.

An expert is someone who has the knowledge, skills, and experience to perform the code review

effectively and efficiently. An expert may be an internal or external resource, depending on the

availability, cost, and independence of the reviewer.

A code review should be performed before the code is deployed to the production environment, and

preferably at multiple stages of the development life cycle, such as design, testing, and integration.

A code review can also be complemented by other techniques, such as automated code analysis,

testing, and scanning tools, which can detect common or known issues in the code. Reference =

ISACA, CRISC Review Manual, 7th Edition, 2022, p. 143

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 143