Sign in / up

back to article Hackers target outsourced app development

Many firms fail to think about security when they outsource application development. Three in five (60 per cent) organisations overlook procedures to mandate security in software development outsourcing, according to a study by analysts Quocirca. One in five (20 per cent) fail to consider security even when building …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. James
    Happy

    There's a surprise.... !

    My company has always avoided, and still avoids, outsourcing (at least beyond a half hours drive!).

    Handing over mission critical development to a remote location, in a different culture, seems to me to be asking for problems. How do you control IP? Security? Basically - you can't.

    A bit like asking all those great programmers in China to develop Britains defense software ("well, they were the cheapest quote, sir!").

    Best way, is to create a very good, small development team in-house and pay them what they are worth. This should usually be on a par with the directors and board members!!

    0 0
  2. Brian Miller

    Title should be "Hackers target apps, outsourced or not"

    The hackers are going after the apps, and it doesn't matter if the app is produced by an outsourcing firm or not. Vista was hacked via Flash, and Mac was hacked via Safari. If a firm does not really give a flying ---- about security, then it opens the door to hackers. Duh.

    When outsourcing the app, the origanization can't be asleep at the wheel. They are paying for the code, so they should be reviewing it. Design goes by the wayside time and again, and nobody ever seems to learn yesterday's lesson.

    Even if the results get sold on eBay, and with much publicity.

    0 0
  3. brian
    Alert

    That's why we don't outsource....

    ... talk about giving away the "keys to the kingdom"? On top of that, I have never seen an outsourced project where it was not necessary to rewrite large portions of the code. Combine this with the security risks and outsourcing just proves to be a large waste of money.

    0 0
  4. Steve

    There's a surprise...!

    "Best way, is to create a very good, small development team in-house and pay them what they are worth. This should usually be on a par with the directors and board members!!"

    Nonsense, Directors and board members do wonders for the employment figures - in a large company, at any one time, at least 25% of the staff are fixing problems caused by "the boss". All of these people would otherwise be unemployed

    0 0
  5. Jamie
    Linux

    Amazing

    I pointed this out to one of the MS Evangalist at my old job and he laughed at me.

    0 0
  6. Anonymous Coward
    Anonymous Coward

    outsourcing - bad experience

    .. had bad experiences with out sourcing development work, wouldn't do it again. Dont want to say oen group of people bad, so i wont, outsourcing devopment work as a whole is bad!!

    0 0
  7. Rob Briggs
    Flame

    If you can't run a project when it's based down the corridor

    ...why on Earth do companies think that they can magically run a project on a different continent in a different culture?

    Honestly, what do they expect?

    0 0
  8. Jason DePriest
    Unhappy

    calculated stupidity

    The CTO of the company I used to work for resigned because he was forced to outsource a significant portion of his empire. He knew what it meant, but his concerns fell on deaf ears.

    Unfortunately, large, public companies are still ruled by the shareholders and if the shareholders say jump, the execs jump.

    It was a short-term cost-savings measure to put cash in the sharholders' pockets.

    They knew they'd have to pay the piper eventually, but apparently they didn't really care about the lost jobs or flailing customer service or the language barriers or the time zone barriers or the fact that the programmers working on some of our code have never even talked directly to a customer or have any idea what it is, exactly, that we do.

    0 0
  9. Highlander

    Hands up!

    Hands up anyone who's been saying this since the outsourcing trend started?

    Can't say I'm surprised by it. Finance companies in particular are prone to trust third party consultants more than their own people. The same principle would extend to out sourced code development.

    Personally I think that if you're paying a group of well qualified people to develop your IT strategy or applications, you should bloody well trust them more than a bunch of external yahoos who have no direct interest in seeing your business thrive. From a security point of view you pay your employees, they're under direct contract, you know where they live. So if one of them does something stupid, you have some recourse. How are you supposed to go after some semi-anonymous programmer working for an outsourcing company when he/she creates a backdoor into your system and steals information?

    Outsourcing security sensitive applications is simply asking for trouble, as is ignoring the implications of compromised security and not following good procedures for process and code review during development.

    0 0
  10. Corrine

    Attention dumbasses

    'outsourcing' does not have anything to do with out of country, outsourcing means out of the company.

    0 0
  11. Ishkandar

    @James

    "Best way, is to create a very good, small development team in-house and pay them what they are worth. This should usually be on a par with the directors and board members!!"

    This will only happen when the Moon is in the 7th House and Jupiter aligns with Mars and peace will guide the planets and love will fill the stars !!

    @Steve - >in a large company, at any one time, at least 25% of the staff are fixing problems caused by "the boss"< - The same could be said about an incompetent in-house IT team !!

    @Rob Briggs - they expect a transference of guilt !! So when the manure meets the rotating object, they can "honestly" say they didn't do the IT !!

    @Highlander - even worse, the outsourcing company can hire temps/contract staff that screws up the security and then run to their competitor with the info on the buggered security system !!

    0 0
  12. Olivier
    Dead Vulture

    Trotskist rant?

    Is this an english site? Even the worst leftist french blogs are more open to the realities of industry.

    Does your company need to run a power station in order to have electricity? Does your company own a cement factory in order to build its headquarters?

    Outsourcing is an obvious rationalization process. Obvious, but not easy to manage, and obviously outsourcing does not remove responsibility..

    One of the problems ( among many others ) is that often many security aspects are not considered in outsourcing contract. This is incompetence, but this does not say anything good or bad about outsourcing itself. Nothing proves that if the process was "internalized" it would be any safer.

    0 0
  13. Anonymous Coward
    Flame

    How bigoted...!!!

    @James

    "Handing over mission critical development to a remote location, in a different culture, seems to me to be asking for problems. How do you control IP? Security? Basically - you can't."

    You make it sound as if you are the only 'professional' in the world who is capable of doing the job correctly. Ultimately outsourcing is nothing but a contract and is a business. If you in this 'culture' are so smart you should be able to competently manage that and pick out competent partners from the world stage. Else that speaks volumes about your management skills and ethics. You can control anything if you plan accordingly.

    "A bit like asking all those great programmers in China to develop Britains defense software ("well, they were the cheapest quote, sir!")."

    And if you reverse the question why should the rest of the world trust you and your (defence) products. Does your military have a halo over their heads and angel wings?!!!

    "and pay them what they are worth. This should usually be on a par with the directors and board members!!"

    I am sure there are a few whizkids(again worldwide and not just here) who are worth the cost, but its probably the high cost of recruiting the rest of the not so clever ones and their high expectations which is driving outsourcing anyways. If your gonna recruit a bunch of average people why pay the moon for them.

    0 0
  14. Vijay Jairaj

    Yeah right

    Can't fucking sort bags at the airport - have to outsource that to Italy...

    0 0
  15. Anonymous Coward
    Anonymous Coward

    Security is the least of your worries.

    Yet another survey from the school of no-shit Sherlock.

    In my humble experience you are far more at risk from losing the 33% of staff who know how your systems work. "For want of a nail" etc...

    Being outsourced normally means that you have removed all the golden handcuffs that kept your best tech staff from leaving. The new employer generally has six months to get to work on sucking the brains dry of the key staff or coming up with reasons for them to stay.

    IMHO 6 months is how long the outsourced will give the new employer to prove their quality as someone to work for. After that the employees (especially the best) will be dusting off their CVs and hitting the job sites. By the time Vlad from Elbonia shows up to takeover the (undocumented) legacy system for Soylent Green production, all those with knowledge of the system will have long since left the scene. The impact of that will be felt by the client.

    On the client side I still don't understand how they expect to check the quality of the work delivered unless they retain a decent core of technical staff (which normally they don't). You can come up with lots of external measures that check that the "requirements" are met but you are not going to know for sure whether it is up to no good behind the scenes especially if you have outsourced your operations too.

    Personally I think the best answer to the threat of outsourcing is to go contracting. Don't waste energy fighting it. The costs of outsourcing won't become properly evident for 4 to 5 years after the contract is signed. Management in most of UK is rewarded for the previous year's work.

    0 0
  16. Jeff Dickey
    Flame

    All too true...

    In close to two decades working on both sides of the outsourcing/offshoring suicide pact, the next project I see that comes in under 150% of budget OR 200% of schedule with 70% or more of requirements met with properly audited, documented code will be the first.

    I believe it's possible - just not with the current set of providers or with the currently-fashionable customer priorities. Two real quotes get the point across: an outsourcing client was once heard to say "We will spare no expense to cut costs." They went out of business less than two years later. One outsourcing provider, when asked about the (truly execrable) quality of their documentation and business communication, replied, "We're paid to write Java, not English. We are having people here with excellent credentials to do our writings for us." We declined to retain them on any future projects; I wish I could say that they crashed and burned too, but P. T. Barnum might as well be technology and trade minister for Karnataka state.

    0 0
  17. Playjam

    Outsourcing can work...

    You get what you pay for.

    I have had excellent results working with designers who do a great job at designing UIs and websites. Of course, they have their office near me and speak my language and they do NOT have the cheapest hourly rate, but in the end the results and the time saved make them cheaper than any messing around with cheaper than dirt offshore labour.

    0 0
This topic is closed for new posts.