Outsourcing software development is a bad idea!

I have been biting my tongue for a long time. Finally, an international survey has freed me to speak my mind without retribution: Outsourcing software is a bad idea!

Before accepting a position with Decade Software in December of 1999, I ran a small software and consulting company in Louisiana. Among other things, we built and marketed components for Borland Delphi. Our tools were sold in three international catalogs, and my sales were often quite lucrative.

Eventually, the consulting end of my company took off, and we had limited time for component enhancement, so I turned to outsourcing—and I was burned, big-time.

My most-popular product popped-up as freeware on the Internet. I actually downloaded and compared the code line by line. The headers and comments had been converted to Russian, but the code was certainly my own.

In recent years, we considered and even experimented with outsourcing on a small scale here at Decade. I was determined to keep an open mind and not to allow my bad experience to cloud my judgment. In spite of this, Decade Software has never been successful with outsourcing.

From a team perspective, I don’t like outsourcing. Forming a bond—a trust—with teammates is much easier face-to-face.

That was my full disclosure. Now, here’s the part where I get vindicated…

Analyst group Quocirca surveyed 250 IT directors and executives in the United States, the United Kingdom, and Germany. Ninety percent of the organizations that admitted to having been hacked had outsourced more than 40 percent of their applications to third parties.

Quocirca cited 5 reasons out-sourcing is a security risk:

• Outsourcing of code development is widespread. However, given the lack of visibility into coding practices, it is fundamentally insecure. Of those organizations that admit to being frequently hacked, all outsource at least some software development, with almost 90% outsourcing more than 40%.
• Exposure to Web 2.0 technologies-among the least understood, but considered to be among the most insecure technologies-is high, but many manage their use through policies alone. 58% of respondents are using Web 2.0 applications, including those that they develop in-house. 39% of these govern usage of these applications through policies alone and more than 10% place no restrictions on their use.
• Organizations are exposing their applications to new security threats through use of a SOA. 66% of respondents have adopted, or are in the process of adopting, a service-oriented architecture (SOA), although adoption is lowest in the UK at 50%.
• Data protection is the key driver behind application security for the vast majority. 82% of respondents cite compliance with data protection regulations as their priority, rising to 91% in the UK. Financial services organizations are the most concerned with protecting data through superior application security.
• Using automated tools for building security into the software development lifecycle translates to lower overall spend on IT security. Over 10% of UK respondents spend more than 15% of their IT budget on security but are the least likely to use automated tools for application security.

Their conclusions?

"It is now more imperative than ever that organizations developing software applications use automated tools to ensure that security is built in at an early stage of the development lifecycle to significantly reduce the risks to which organizations are being exposed."

My conclusions?

"When you make your list of options for solving a problem, risk should weight outsourcing to the bottom."

Outsourcing is a last resort option. Forget about it. Build a real team—no matter how small—and you can move mountains.