How to manage application development outsourcing risk

When you outsource application development, you offer sensitive information to a third party - and lose some control of your code along the way. Here's how to outsource while avoiding the downsides.

Advances in collaboration and remote access technology have solved some of the challenges of working with application development outsourcing partners, but plenty of risks remain when it comes to outsourcing or offshoring your code.

Go to a technology blog, for example, and you will likely find posts by application developers walking others through their latest projects for Fortune 500 companies. The problem is a developer posting to that blog might be sharing sensitive information about that Fortune 500 company's application development outsourcing project for all the world to see.

"I see it happen all the time," said Tim Vibbert, a former enterprise architect for a large outsourcer as well as an internal architect for large companies. He now runs Oglala Innovative Solutions, a consulting company in southern New Jersey. "The developers put up blog posts during and after the project that give away the house for free, the IP of the project, and competitors see the information and use it as their own template."

 To minimize this application development outsourcing risk, more enterprises are writing stricter rules into their outsourcing statements of work, Vibbert said. These cover how the developers working on an application development project can share information on the project. "Companies are adding contract restrictions on how and where their project details can be discussed because of the [blogosphere]," Vibbert said.

And enterprises should hold their primary application development outsourcing partners accountable for enforcing such communication restrictions among their subcontractors as well, he said.

That brings up a pretty significant concern when trying to manage application development outsourcing risks: Who, exactly, is working on your project? "When you work with a large outsourcer, they may be outsourcing pieces of the app dev project to specialty firms, so make sure you're aware of that," Vibbert said.

Who is developing my code?

As a former project manager, Mary Gerush will tell you that it is pretty difficult to handpick -- and keep -- your application developers of choice when working with an outsourcer. Establishing a long-term relationship with a provider helps, but even then your developers of choice are often pulled off your project to work on another.

Gerush's approach to an outsourcing project in India was to get to know the individuals on her extended team. "Over time you know who the best developers are, so you do your best to build strong relationships with them and hopefully build a sense of loyalty as well," said Gerush, an analyst at Forrester Research Inc. in Cambridge, Mass.

One CIO was recently asked by his company's management team why he made the developers employed by his company's outsourcing partner jump through so many more security hoops, when the company also employed developers out of a branch office in the same country.

The country was Russia, which pretty much does not have the equivalent of a background check, said Khalid Kark, an analyst at Forrester. "The CIO said, 'Well we've done all the background checks on our own employees [in that country], and we know our [application developer] turnover.'"

The CIO was not assured, however, that the same guidelines were in place at the outsourcer to ensure who exactly was coming and going, potentially with sensitive information.

Building in controls to manage application development outsourcing risks

A lesson that many enterprises learn too late is that it's much more difficult to put security controls in place when an application development outsourcing project is already under way. Some enterprises will also put an application developed by an outsourcer into production in their own environment without any testing or monitoring of the application development work beforehand. In both cases, security is falling to the side in favor of speed to market.

"The application development team doesn't have the security skill sets, so a company has to bring in a security team to monitor and test the application development before it enters their environment and also during the development process, which slows things down," said Kark.

A few years back, about 5% to 10% of the application development contracts given to outsourcers had very specific and rigid security policy and control requirements. This percentage has risen to about 30% to 40% now as enterprises push more liability onto the outsourcer, Kark said.

Not only are such enterprises asking for the same level of controls they use internally for policies surrounding access controls, but they also want to know if an outsourcer is ISO 27001- or ISO 27002-certified. They are also more often writing on-site visits into the contract to test the security monitoring tools and policies of the outsourcer, he said.

"They want to know who has access, how they have access, if background checks were performed. And if they see that these policies are not being followed, they consider it a breach of contract," Kark said.

Managing risk by setting expectations and intermittent milestones up front

Vibbert has worked on projects in which an application is completed and all the code comes in at once. What also came in at the same time was one big bill.

"The company would get one massive bill and there was no way of justifying the costs," he said. "Then legal would get involved and [the company] was pretty much out of luck because they didn't set any specific deliverables or costs for each deliverable."

As a project manager, Vibbert would set up deliverables similar to product releases -- version .01 is due by this week, version .02 by next week and so on. "We said up front, in writing, that 10% of the job had to be done to certain specifications by a certain date before we would move forward to the next phase."

There are several other up-front steps an enterprise can take to manage application development outsourcing risks:

  • Have an application development design review up front to not only set deliverables, but to also establish the scope of skills needed to complete this project. Have representatives for the outsourcer sign off that they have such skills in place.
  • Establish that developers are not to veer off set design criteria. If the application should be written in Java in a certain way, make sure the outsourcer's developers are sticking to this plan.

    "What you see happen is developers think they know a better way, so they do it their own way, and then the company gets back the code and their own developers don't know what to do with it," Vibbert said.

  • Establish a team to monitor the health of the outsourcer and the country in which it resides. A vendor management team should scan for any announcements made by that company, such as a possible acquisition, as well as any political strife in the outsourcer's country that could disrupt the project.

    "A vendor management office should be attentive to any of these problems and should have a plan in place if a risk does arise, so the company isn't left trying to figure out what is going to happen to all of their data that's overseas," Gerush said.

  • Don't overlook a country's privacy laws. China, for example, monitors a lot of data coming into and out of the country. "A country may have cheap application development labor, but does that off-balance the risk of knowing that the outsourcer is in a country that monitors data?" Kark asked.
  • Check to see if the outsourcer has knowledge about the industry you are in. You might find a partner with great application development skills that has no idea how the application itself needs to be developed to meet the needs of your specific business or industry.


Read more on Software development tools