Hiring a third party to build your company's web apps (or pieces of them) may not be as difficult as putting the code together internally, but there can still be significant roadblocks involved. That's especially true when it comes to software compliance, and it becomes more challenging when a company knows little about the nuts and bolts of web app security.
The good news? Bringing on a third-party developer isn't much different from hiring a company for any complex task that you don't know much about. Better, a lack of security knowledge doesn't have to make picking the right dev a total nightmare when it does differ. As always, common sense and smart administration will serve you well. Follow these steps to ensure you and your potential new developer are a good fit:
Any company will be quick to produce glowing references when you're waving a fat new contract in its face (or even when you're just doing preliminary research through its site). The same can be said of review sites and other online opinion resources: When customer opinions can make or break a business, even good companies will do shady stuff to make their names looks good.
Instead of letting subjective information skew your decision, speak with professional contacts in similar roles within the company you're curious about and/or in different organizations. When you work in an industry bound by strict regulations (healthcare with HIPAA, for instance), reaching out will almost always be the quickest path to unbiased information.
What's your potential developer's biggest failure when it comes to security and software compliance? How would it handle [insert arbitrarily insane security issue]? Is there a reason your company's competitor chose to go with the developer's competition when it built its new web app? How can your potential developer ensure every aspect of its code meets your industry's strict, critical regulations?
You get the point. Finding stuff like this out early — and, perhaps more importantly, making sure you aren't being snow jobbed when a vendor responds — can prevent you from learning answers the hard way later. If you get the feeling you're nitpicking, good! It's your company's money; the last thing you want is a third-party dev using it to provide you with a substandard, noncompliant app.
Many web apps are designed for internal use. That can make checking a developer's past work a little difficult. If you can independently verify quality and compliance in situations where the development house has worked in your industry, make sure to jump on the opportunity and enlist professional help where applicable and appropriate. If not, to go back to the second point and make sure to ask exactly how the developer ensured compliance. Qualified candidates should have direct, relevant experience doing stuff in the field, or at least be able to prove they prioritized software compliance in another regulated industry.
None of this is to say you should only do business with industry vets — it may not always be possible, and newcomers need chances to prove themselves — but ensuring a dev is at least capable of following regulations via its past work is of the utmost importance. Again, don't be afraid of tough questions here: Make sure a firm knows what it's doing. If you don't like the answer, move on.
Hiring a company to help you hire a company sounds like the start of an Inception joke, but it can result in huge time and money savings when software compliance and security are involved. You're hiring a developer to cut out the proverbial middleman, after all. Talking to experts is just applying the same idea to a different (and equally crucial) part of the process.
The experience you pay for will manifest in multiple ways: An established company will have built a network of professional contacts of its own; depending on your needs, that firm may be able to help you choose from a curated list or even make all the pertinent decisions for you, with you signing off on the final recommendation. In many cases, that same company will be able to guide the developer through the development process from a software-compliance perspective, further reducing the internal expertise needed to make the right decision.
No single blog post can demystify the dev-hiring process, and software compliance and security concerns only complicate matters. If the decision-making process is giving you fits as you search for a developer, check out Veracode's Vendor Application Security Testing (VAST) Program or reach out directly. When security is a constant concern, experts can help make sure you're on the right track from the beginning.
Photo Source: Wikimedia Commons