Wednesday, March 31, 2010


Why outsourcing firms will never deliver secure code to their clients without them paying extra...

At a 2008 OWASP Conference, Rohyt Belani, Principal of the Intrepidus Group described in elegant details, backdoor logic that was inserted into an internet-facing production enterprise application for one of their clients. Sadly, most enterprises don't have a process to catch this type of threat until after the fact. Anyway, Rohyt went on to explain that the enterprisey crowd will never be successful in getting an outsourcing vendor to write secure code without paying extra. Ever since this statement was made, I have been savage in attempting to prove him wrong...

After two years of hard work, he can still claim he is 99.99% right. I have made a small breakthrough with Cognizant in this regard where for a particular project I oversee, I have been able to change the game. Keep in mind that in our shop we have outsourced thousands of developer-level positions and I have had great success with a grand total of four people, so whatever I share in terms of my secret we must truthfully acknowledge the challenge of making it scale.

The first aspect of making this successful was to personally interview each developer for the team, something that most enterprises defer to their partner to handle. I wanted to understand the values of the developers working on my project and get a sense if they wanted to develop Rugged Software or simply wanted to punch the clock and solely deliver to whatever the requirements stated and not one single iota more.

The second aspect of making this successful was the fact that I didn't treat them as some unknown FTE where I throw specifications over the wall and immediately start talking about delivery dates. Instead, I treated them like humans and took interest in their well-being. We joked and laughed together where I got to know them as individuals. We even had sessions where we did pair programming together.

The third aspect of making this successful is that I let them develop the software outside of the usual bureaucracy of corporate controls. I didn't force them to be crippled in using tools that are enterprise approved but otherwise unproductive for them. They were able to develop wherever they wanted to develop. At times, even they worked from home.

The final and most important aspect of making this successful is that I didn't play head games when it comes to dates. There was one and only one date communicated. I didn't build in contingency where I tell the developers one date, the business the next and so on. Making oneself vulnerable isn't a weakness, its a strength that I leveraged to my advantage.

So, in conclusion it is possible for your outsourcing firm to deliver code written of high quality without paying extra for the privilege. The biggest challenge is in changing the mindsets of those within enterprises to break their own habits to allow those in India to be successful. If you want secure software, you have to treat others with respect and dignity, always remembering to be human and interacting with others in the same manner.

Since most enterprises have forgot the importance of humanity and humility, I guess at some level Royht is right that they have no other choice but to pay more...

Links to this post:

Create a Link

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?