Tuesday, 9 January 2007

Outsourcing the coding lifecycle

Nowadays it is more and more common to outsource the old inhouse programmers to some external companies usually located in India, Argentina, China, ... I thought that it was only an US big vendor choice, and that it was rarely seen in the old Europe, but I was wrong. One of the key reasons for such thing is the price per hour. At least in Spain for one programmer you can get almost 10 programmers in those countries.

But there are many issues to take into account if you are interested in hiring those guys. I'll try to summarize some of them in order to try not to compromise your code quality:


  • Coding methodology: it doesn't matter if they prefer extreme programming or any other methodology. But they do need to have one, and one that fits to your requirements.

  • Documentation: document, document and document your code. And in a language that you can understand. The same for the variables names, procedure names, etc

  • Secure programming: you need to verify that they know very well some aspects of secure programming, and that they avoid some nasty bad coding practices that could lead to a XSS, SQL Injection, remote include, buffer overflow or any other vulnerability.

  • Good versioning system: all the trunk and branches code should be properly tagged

  • Code efficiency: I wish it wil be so

  • Stress and test methodology: for each version released

  • Analysis and design proper documentation

  • Formal verification (just kidding, but why not?)


But those advices are normal ones. I'd suggest to give them a try and hire them for a small snippet of code. And if you are still interested and do a big project with them, please consider to perform a white box and black box security audit (as well as other tests in order to check everything) when they have finished coding just to be sure that you won't be an easy target for the attackers and the media.

Anyway, each time I hear something related to this subject, I can't help thinking about the kids that are used in some countries working in those bad conditions...

No comments: