Don't cut corners when outsourcing

Quocirca's Straight Talking: Security front and centre in software development

Outsourcing software development is tricky but can prove a success. Quocirca's Fran Howarth offers some advice on how to get it right.

To differentiate themselves and to deliver competitive advantage, organisations today are looking to use specialised, custom software to supplement commercial off-the-shelf applications.

In order to speed up the development of such applications and to reduce the costs involved, businesses are increasingly outsourcing the work. This can range from full-blown custom applications to the writing of code that acts as the 'glue' between on-premise applications or services in the cloud.

These programmes can be risky because organisations must place the creation of a valuable asset in the hands of outsourcing partners. This means they must trust that secure coding best practices have been followed and that applications have adequate levels of security built into them so that vulnerabilities are not present.

Agenda Setters 2008

Find out who made this year's Agenda Setters list of the top technology movers and shakers.

New Quocirca research, sponsored by Ounce Labs, examines the practices used by 200 of the largest organisations in the UK and US across five vertical industries when undertaking application development outsourcing projects.

A primary finding of the research is that inexperience and lack of efficient processes lead to ineffective outsourcing. For example, projects undertaken by organisations in those industries with the least experience of application-development outsourcing - those in the financial services and transport sectors - exhibit daunting levels of failure. The research shows that, in both those industries, around 50 per cent of interviewees had experienced projects being called off completely owing to problems encountered, while 30 per cent of finance firms have had to take legal action as a result of project failure.

On the other hand, respondents from those industries with the most experience of outsourcing - those in the retail industry and public sector - have seen the majority of projects undertaken result in success.

Success is achieved by the most experienced outsourcers - those outsourcing at least three-quarters of their application development needs - because of the rigour with which they define controls upfront in the outsourcing contract and enforce those controls by demanding stringent levels of security in the development and testing processes.

To achieve this, the importance of getting the contract right cannot be stressed enough. A watertight contract provides organisations with a fallback position should things go wrong and helps to reduce the risk of below-par applications being delivered - greatly reducing the likelihood of the need for subsequent legal action.

When it comes to security, the research uncovers stark differences among organisations according to their level of experience with outsourcing projects. Among leaders in the retail and public sectors, 62.5 per cent of organisations require the use of automated code scanners for checking programming code for vulnerabilities, compared to just 32.5 per cent of financial services organisations. And just 40 per cent of finance firms require that applications are tested for the most common vulnerability - cross-site scripting - compared to 82.5 per cent of retailers. This could leave financial services organisations' applications at serious risk of attack.

Quocirca's research report aims to aid organisations involved in outsourcing, or looking to expand in this area, by highlighting best practices from organisations with the most outsourcing experience. These best practices can be used by organisations not just as a roadmap for planning and executing application development outsourcing projects, but for building repeatable processes that can more easily be repurposed to ensure the success of subsequent projects.

The best practices gleaned from traditional full-blown, custom application development outsourcing will be of help in deriving greater value and reducing risk in new types of outsourcing services. These fast-emerging outsourcing services include application outsourcing where applications, including the data they contain, are hosted by third parties, or where service providers write add-ons to applications, such as in cloud computing and software as a service delivery mechanisms.

Making use of the best practices detailed in this report should provide any organisation looking at outsourcing application development with greater peace of mind that the resulting project will be a success.

Quocirca's report, Winning Outsourcing Strategies, is free for download.

A leading user-facing analyst house known for its focus on the big picture, Quocirca is made up of a team of experts in technology and its business implications. The team includes Clive Longbottom, Bob Tarzey, Rob Bamforth, Louella Fernandes, Fran Howarth and Simon Perry. Their series of columns for silicon.com seeks to demystify the latest jargon and business thinking. For a full summary of the consultancy's activities, see www.quocirca.com.