Going East, however, large reputable corporations (e.g., Oracle) are outsourcing their product development and/or internal applications to hungry, cheaper experts in Russia, China, India, and the Far East. This is beneficial for the bottom line however outsourcing can cause problems to arise such as security issues, integrity issues, legal issues from weak or confusing copyright laws and even cyber crime. While many companies are outsourcing successfully, they are also finding that they have to rigorously vet their offshore contractors, craft strong legal frameworks, and remain personally involved in the process.
Problems When Development Is Outsourced
There are two possible issues when any third-party developer writes code for someone – embedding malicious code, such as logic bombs and backdoors or just simply coding error-prone and insecure code that result in security vulnerabilities. You need to have confidence that the third-party is committed to the same or similar rigorous security practices, close to what you practice in-house. While malicious code receives the most publicity, according to Carnegie Mellon’s CERT Coordination Center, most of the security problems are caused by human errors when writing code.
The First Step: Due Diligence
Thoroughly researching an outsourcing enterprise goes without saying and a big part of that due diligence is checking references. Being the first company in your industry to use a firm is a risky business indeed. Company location matters as well. Recent events for Microsoft, IBM, and Sun show that China and Russia are two countries with high-risk rates. You might want to avoid those if possible. The other concern is re-outsourcing. Some firms in India, for example, re-outsource to development firms in China. While they usually send a representative to oversee big projects, that type of assurance is not fail-safe. When you choose a vendor, your contract should clearly state that you do not allow re-outsourcing. If the software project is large enough and if it is possible the outsourcer should have a representative in the country of origin of the outsourced developer. This representative will act as a liaison, knowledgeable of the country’s laws, and assist with security investigations and protocols. International risk management firms that can supply such individuals, but there are costs involved. Weight it against contracting services in-country.
The Second Step: The Contract
Contracts with development firms located in the same country are difficult enough. Contracts with an outsourced development firm bring a whole new layer of complexity. Obviously, don’t ignore the next points of an in-country contract – each party’s responsibilities and rights, parameters, timelines. In addition, take time to research the local law in the outsourced country. Hiring a respective law firm may be a good step. For large and expensive projects in which security is a significant concern, a law firm that either has colleagues in that country or who can send representatives to that country to affirm security and make recommendations is essential. An important aspect of the contract is a detailed plan for the client company to require that the source code is securely stored by an independent 3rd party as it is progressively developed. This is often done by placing the code in escrow for safe-keeping. As Bryan Christiansen, from EscrowTech states:
The Third Step: Involvement
While the contract certainly covers approaches to deliverables, timelines, quality of code, testing processes, security and strong review processes, the contracting company must remain on top of everything to ensure a successful project. Video conferencing, design meetings, and even in-person meetings with a representative should help you with that. All along the way, the contracting company must thoroughly document the process. They must also have a method to access the source code in the event the outsourced software vendor disappears. Most outsourced developers will not provide source code until they receive the payment. That’s where an escrow can help. If you choose to end the relationship prematurely and you followed the steps above, it is worth taking the software project back in-house and finished if necessary. Furthermore, client companies face other problems when outsourcing. For instance, vulnerabilities of their software, theft prevention, insecure coding, or even unscrupulous programmers who re-sell what they have developed elsewhere. In countries where copyright laws are rather lax, this is a legitimate concern. For this reason, continued involvement is vital. There is an old saying: “Better safe than sorry”. If it ever applied to any activity, it applies to outsourcing product development to a foreign firm.