The risk associated with malicious functionality in outsourced application development is that the vendor may introduce unauthorized or harmful code into the enterprise’s system, which could compromise its security, integrity, or performance.

To mitigate this risk, the enterprise should perform an in-depth code review with an expert who can verify that the code meets the specifications, standards, and quality requirements, and that it does not contain any malicious or unwanted functionality.

A code review is a systematic examination of the source code of a software program, which can identify errors, vulnerabilities, inefficiencies, or deviations from best practices. A code review can also ensure that the code is consistent, readable, maintainable, and well-documented.

An expert is someone who has the knowledge, skills, and experience to perform the code review effectively and efficiently. An expert may be an internal or external resource, depending on the availability, cost, and independence of the reviewer.

A code review should be performed before the code is deployed to the production environment, and preferably at multiple stages of the development life cycle, such as design, testing, and integration.

A code review can also be complemented by other techniques, such as automated code analysis, testing, and scanning tools, which can detect common or known issues in the code. References =

ISACA, CRISC Review Manual, 7th Edition, 2022, p. 143

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 143