Veracode has found that outsourced software is a hotspot for hidden security vulnerabilities. I think we will get similar results if we scanned the outsource code for performance. But I think the problem is not that third party developers write bad code. It is that in the outsourcing ecosystem anything other than the functional requirements is considered secondary, and sacrificed for perceived quicker delivery.
Outsourcing is so tightly coupled with cheap labour that the relationship between the client and the developer feeds of it.
- Anything other the functional requirements is going to cost more, which means lesser savings from the outsourcing, so make it secondary
- Which means that requirements like security or performance are hardly discussed and weakly specified
- This works great for the developer because he/she likes to close projects quickly
- The relationship, or the contract, is usually for a short-term, so any changes triggers another round of discussion on numbers, which further blurs the security concerns
- This also means that the developer can wash hands of anything that comes up after the contract is over.
- Problems with security and performance can be caught either through very good testing or by users. Since very good testing can be expensive, the insecure code gets to stay longer in the software till the users discover it.
This does not mean that all clients and all developers do this. I think that if the relationship is based on developing better software, the same people will write better code. Unfortunately today outsourcing has become a synonym for savings through cheap labour, and that is what is demanded and provided. The project becomes cheaper, but the software becomes expensive. After all, even outsourcing has to obey the Fast, Good and Cheap rule of software development.