In some ways, hiring a third-party development team is like bringing on a new employee: You look for the traits, skills and experience you want, and you make a qualified decision based on your research.
But the process can be much more complex in practice. After all, hiring app developers for a particular project requires you to make a number of considerations and take several risks. While there is no one-size-fits-all test you can use to evaluate your third-party prospects, there are more than a few general traits you can expect all vendors to exhibit, regardless of your industry. Here's a closer look at some of the most important ones.
Is the Team Transparent?
While nuts-and-bolts facts such as technical qualifications and relevant experience are obviously major considerations, focusing on a third-party developer's transparency is just as crucial.
From a security standpoint, this includes looking at past failures. While that sounds like a trick out of the HR-101 handbook, knowing what problems a team has faced, how it addressed them and how forthcoming it was with the hiring party says a lot about its overall character. Having an idea of how a company responds to problems (and how honest it is in its response) can be an invaluable guidepost if you decide to move forward with your relationship.
As a final note, guaranteeing transparency requires more than handshakes and promises these days. Draft specific terms for any agreement, especially if you work in a heavily regulated industry such as finance or healthcare. Knowing what information you can count on having in the event of an audit or security breach makes it easier to build contingency plans, and it can help you demonstrate your own commitment to security, if necessary.
Are the Team's Open-Source Practices Secure?
It's a foregone conclusion that any app, third party or otherwise, will use open-source components. Your goal is to figure out how those components are used, and (more importantly) how secure a potential team is in using them.
Confirming that second point isn't as challenging as it sounds. How much experience does the team in question have with the open-source components it'll be using? Does the team research its code in search of known security flaws? Has it successfully implemented a given bit of open-source code in a similar project? If you'd expect your in-house employees to do something, make sure you're requiring the same of your third parties.
As this insightful Sys-Con piece
notes, the rest comes down to sniffing out common-sense practices that you'd use for any software. Be sure any third-party team you might hire always uses the latest version of a given component, and only uses code from reputable sources. This may seem like a no-brainer for any security-minded developer, but making sure it's how your third-party devs work from the beginning is crucial.
Is the Team Consistently Secure?
To be clear, consistent security is different from, say, releasing a string of secure apps. When hiring app developers from a pool of potential third parties, you want to be sure their approaches are holistically secure — that is, that they treat security as a constant focus in all aspects of their organizations.
While references and successful, safe end products are good indicators of this trait, make sure to scrutinize internal practices, too. A team that understands the importance of security (and the countless ways in which breaches can occur) knows that factors such as password policies, user privilege practices and consistent, tailored training and remediation can have just as big an impact on overall security as properly secure code can. While the term "paranoid" is often used in a pejorative sense, that's exactly what you want to look for: a team that understands every exploitable chink in your proverbial armor, and is vigilant in watching for new issues that may arise.
Security is a game of concepts — even small tells can speak volumes about a third party's overall practices. With regulators cracking down on accountability and user data more valuable than ever, making sure your third parties understand security from the ground up is a must-do, top-of-the-list practice. Make researching security practices your "ounce of prevention," and you'll appreciate the diligence later.
Staying secure means understanding security. If you're hiring app developers, try to involve security experts in every step of the process. Whether you need help forming questions, building criteria or just looking for potential pros and cons, a security-minded voice can bring valuable perspective to your search. Don't be afraid to ask for help: Whether you're looking for a vetted list of prospects or want to qualify your own prospects, an outside voice can save you time, effort and trouble.
Photo Source: Wikimedia Commons