Mobile App Security: In Search of the Silver Bullet

In October, 2016, the use of mobile devices to access the internet surpassedi that of desktop computers. Today, more than half of internet access is done with phones and tablets.

What, Me Worry?

Given this, you might assume that mobile apps would be designed with high levels of security or that security itself would be an utmost consideration in app design, but that’s not the case. In fact, the problem of security in mobile apps is enormous – and not new, either.

First the Breach, Then the Fix

As far back as 2014, Gartner predictedii that, by 2017, 75% of mobile security breaches would be due to a failure of what it called “app misconfiguration”.

A study by the Ponemon Institute in 2018 claims that a majority of organizations admit they don’t invest in app security until AFTER they’ve suffered a breach. No wonder the dollar value of the average security breachiii today is nearly 4 million dollars US.

Albert Lo, Senior Mobile Engineer with Optimus Information, says it’s a mistake for a developer to assume that web security tools can be applied to mobile apps. “You can’t lump them into the same bucket,” he says. “Mobile security has its own set of characteristics.”

Why Mobile Security is Different

Mobile apps also have their own unique security risks, Lo adds. Malware developers target mobile apps by first trying to “decompile” them. They change a few things so they can inject their own malware, recompile the app and sign a new security certificate that binds to the app, he says.

This is one of the chief security differences with web apps, that don’t need to sign a security certificate, and why different security strategies must be employed.

The best approach to securing a mobile app is in the design stage. “It’s really a mindset you need, that security should be part of the development process right from the start – especially when different frameworks are being considered.”

Choosing the Right Framework

Mobile apps often have a need for persistent data – user data or network data stored in a database, for example. Not all databases, however, are created equal and the choice will ultimately impact the app’s security features.

Albert Lo works with Android-based apps, which use a database called SQLite. The problem with this database is that it’s not secure, so an Android developer can reach for a framework known as Realmiv which comes with 256-bit encryption built in – but also demands up to 4MB of space for its database.

Optimus-Mobile-App-Security Mobile App Security: In Search of the Silver Bullet

Others, like Google’s framework called Roomv, can also be used. Room provides an abstraction layer over SQLite to allow for more robust database access but it doesn’t support database encryption – unless a developer puts in extra work to build encryption support. Room’s database, as a result, is much smaller.

One tool that has proven very useful here at Optimus is Google SafetyNet. SafetyNet is an API that lets a user know if an app has been compromised or tampered with. It can run on the server side and perform checks in real time to determine whether the mobile app has been compromised.

Open Source Open to Risk?

Albert Lo says he’s often asked if an open source code base like Android doesn’t have inherent security risks. He maintains that because of its open source nature, Android can be constantly improved when those with security backgrounds scrutinize and review the OS code base, something that can only help the code base become better and more secure over time.

“But, using an open source OS like Android means you also have to immediately adopt standards and best practices to safeguard against security threats and attacks on user data,” Lo states. Once adopted, the OS developer ensures that the app is less vulnerable to attack.

No Simple Fix

At the end of the day, “there is no silver bullet or framework that will magically address all your security concerns and requirements. That’s just the way it is. Securing a mobile app is complex and there are different concerns to deal with. For those apps that don’t store credit card information or have a database, for example, there’s no concern about encrypting a database,” Lo says.

He often refers to the Open Web Application Security Project or OWASP for counsel. OWASPvi is an open community “dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.”

OWASP’s Top 10

Recently, OWASP published its Mobile Top 10, a list of potential app security issues with suggested workarounds. At Optimus, Albert Lo and his associates adopt a layered approach when it comes to security, using OWASP guidance to assist them in providing fortress-like security during app development.

Best Practices Work Best

Will there come a time when mobile apps are fully and permanently secure? That’s hard to say with certainty. Blockchain technology holds great promise but, by simply following best practices and standards right now, developers can go a long way in creating secure mobile apps.

Albert Lo says he’s an evangelist when it comes to promoting mobile security best practices.

“Security is ever-changing because there’s new technology and new best practices every year. Security is not static. There is always something to learn.”

Rely On Our Expertise

At Optimus Information, that learning, as Albert says, is ongoing. As a result, we are delivering top quality – and highly secure – mobile apps to our customers, every day.

We invite you to tap into our wealth of experience in the critical area of mobile security by calling us to discuss how we can assist you with your project.

Do’s and Don’ts of Software Outsourcing

What are the Do’s and Don’ts of Software Outsourcing?

Outsourcing software development can be a great way to save your company or organization time and money. However, if done haphazardly, it can also become a source of great headaches. It’s easy to make common mistakes, such as not clearly defining goals or expecting the process to magically produce results. It’s much harder to manage the process and see that it achieves the results you desire. Here are some do’s and don’ts of software outsourcing for you to consider as you get involved with software development outsourcing.

Do Define Your Goals and Metrics

One of the hardest things for any outsourcing services provider to deal with is a moving target. It’s important that you have clear planning documents in place that outline the goals for each project. Likewise, you also need to use clearly understood and widely trusted metrics to measure the success of a project. If you and your outsourcing provider agree on the measures of success, there’s a much better chance you’ll hit your target.

Don’t Fire and Forget

Handing a pile of specs to an outsourcing firm does not count as passing the project along. The process is inherently collaborative. It’s important that everyone on your side, the client side, stays engaged. When mockups come in, check them. When requirements are reportedly fulfilled, verify them. If errors occur, correct them. Do not plan to hand off the specs and just come back months later expecting to see a finished product.

Do Put Processes in Place

Every aspect of your project should have a clear process in place to ensure that both you and your outsourcing company understand what it means for a step to be considered complete. This means verifying that mockups are passed along and that both parties sign off on each step. Requirements for each stage should also be outlined clearly, and all parties involved should agree to them. Nothing dooms a project as fast as an ambiguous understanding of what it means for a step to be truly completed.

Do Communicate Well

This can be trickier than it sounds. Even if you’re running a North American firm that’s outsourcing to another firm on the continent, time differences matter. If your vendor doesn’t have flexible hours, then you’re likely losing collaboration time. For example, if a company in New York City is outsourcing to a firm in Vancouver, it’s important to know that the Vancouver folks are prepared to have someone show up early on some days to touch base with the New York crowd before the work day gets rolling.

Don’t Judge on Price Alone

One of the greatest temptations of outsourcing software development is to simply take the lowest price offered. This is a terrible idea. There are many tradeoffs required to get to the lowest price. Will you be dealing with people who speak your language natively? If the vendor is on the other side of the planet, will they even be able, at that price point, to have someone communicate with you live at a convenient time?

Do Expect a Performance Curve

If you’re beginning your first project with a specific vendor, it’s unrealistic to assume they will be able to just hit the ground running. Every outsourcing firm requires time to make sense of your company’s culture and figure out the best way to achieve the results you seek. Getting frustrated by this process can be very costly. There’s little benefit that can be expected by bouncing from vendor to vendor. Give vendors time to acclimate.

Don’t Outsource Core Functions

Some parts of your company just have to work. The best way to see that your operation works the right way is to ensure that core functions stay in-house. For example, if you ran a vinyl sign company, it would be insane to outsource your graphic design work. On the other hand, it might be perfectly reasonably to outsource backend coding for your website.

Do Prepare for the Future

No matter how strong your relationships may be with your current set of vendors, you need to know the market and be prepared for the future. If the day comes that your preferred vendor can no longer handle the scale of your work, you want to have a list of vetted alternatives in place. You can lose months of project time trying to find a new vendor.

Don’t Use Outsourcing as a Stopgap

Adding an outsourced software development team to your organization means incorporating it on a long-term basis. If you drop a project on an outsourcing company and then turn around expecting in-house people to maintain or even expand it, the results will be rubbish. It will may foster discontent among the in-house team. Look at long term partnerships where certain projects or tasks stay with your outsourcer and others stay with your in-house team. Your guys handling the outsourcing on your software will then become comfortable dealing with your in-house people handling core functions, and vice versa.

Don’t Rely on Technology Alone

There’s a lot to be said for getting in at least one face-to-face meeting, ideally more as required. Your vendor and you can both demonstrate commitment to the project. You also can interface more quickly. If at all possible, try to make in-person meetings part of the process.

Conclusion

Outsourcing is an amazing tool for any company to have access to. It is important, however, to appreciate that it’s not magical. It’s a process that your organization has to fully accept and integrate. With the right checks and balances in place, you can ensure that your outsourced software development efforts achieve the results you want.

Ultimately, successful IT outsourcing comes down to finding the right partner that fits with your organization and IT needs. Optimus Information has become a trust partner to companies of all sizes and in all verticals; we know what works and doesn’t work when it comes your your IT challenges and working with your organization. Hopefully, this article sheds light on some of these do’s and don’ts of software outsourcing.

Contact us today for your next IT project. We’re always happy to help.

Start outsourcing effectively. Download our How to Overcome IT Outsourcing Challenges whitepaper.

(Note: This blog has been updated with new information)

Tactical Outsourcing vs Strategic Outsourcing

The term outsourcing scares people for various reasons, but there is no reason that it should. Outsourcing is very effective for certain situations, especially when developing software solutions. For a company to grow its internal IT department, it must search for a qualified candidate and go through the long process of interviewing, hiring, and training the new employee. This can take a long time and cost the company a lot of money. The alternative to this is outsourcing. But, what exactly is the difference between tactical outsourcing and strategic outsourcing?

There are two main types of outsourcing that you can find for your IT needs: tactical and strategic.

Tactical Outsourcing

Tactical outsourcing refers to hiring a firm to perform specific development functions as part of your existing software development process. You retain oversight of the project, giving you more control over the process. This is very helpful if you need a project done on short notice because you can avoid the long process of searching for the right candidate.

Tactical outsourcing is also helpful when you have a short-term need for a highly skilled developer in a specific technology that you do not normally use. A developer with the right skill set may be very difficult to locate, so going through a skilled tactical partner can mean fast turnaround and lower overhead than hiring internal resources.

With tactical outsourcing, you maintain the planning process, including gathering requirements from stakeholders and designing the system that the developers will create. This increases management overhead, but it also allows you to have more control over the process and more knowledge about what is happening. They are familiar with your processes and answer to you throughout the process.

Strategic Outsourcing

Strategic outsourcing involves partnering with an IT company that provides top-down services. They handle the entire planning and development processes, leaving you free to focus more on other aspects of the business. This is nice for some companies because they are able to pay prices per project instead of per hour of work.

With either type of outsourcing, you should address a few key points with your prospective outsourcing partner. The first is documentation because you never know what could happen in the future. If a support issue comes up or you need new functionality added to an existing product, you will need proper documentation to know how the product is supposed to work. Ensuring that your partner provides proper documentation, both in the code and out, can be vital to handling these situations.

You should always provide full technical information about your requirements to your outsourcing partner. Leaving out any details could cause severe problems as you go through the process. Always remember to include all of your key decision makers and stakeholders in discussions to ensure that everybody’s goals align properly. Repeated changes over time can greatly increase the cost of any project, so planning everything up front is vital to a successful partnership.

You should always examine your prospective partner’s portfolio, looking for consistent, high-quality performance over time. Not all outsourcing companies are equal, and even great companies may not be the right choice if their goals do not align with yours. It is also important to note for what industries the company has worked. If the company has worked for other companies in your industry, it could mean that they are already familiar with many of your processes and terminology, making communications much easier.

Conclusion

Both outsourcing solutions could work for you, depending on your situation. Many companies prefer tactical outsourcing because it allows them to maintain more control over the process and usually means less of a commitment. However, the trade off is significantly more involvement from the client. 

At Optimus, we find there is a lot to gain from ongoing strategic outsourcing partnerships, and clients typically reap more benefits: less hands-on management, higher quality work, faster delivery and greater flexibility.

For an in-depth look at strategic outsourcing, check out our guide.

Download our Guide to Strategic Outsourcing

(Note: This post has been updated with new information.)

What to Look for in an Outsourcing Partner

How to know if an outsourcing partner is right for you?

Bad experiences with an outsourcing partner are often traceable to badly designed selection processes or the use of deficient selection criteria. Whereas, you can find ample guidance online on how to build a robust selection framework, we will share the most important vendor attributes for comparing and contrasting outsourcing companies to ensure you select one right for you.

Sizing a Vendor to Your Project

When optimizing the capabilities of an IT provider to your project, size matters. If your organization can fund nine-figure deals, then the number of companies to field such a deal is not large, whereas for smaller projects you have a lot more choices.

The key is to find a provider of a size that will consider your deal to be a big deal. This significantly increases the odds that your project receives the attention it deserves by having their most talented staff assigned to it. Additionally, right-sizing usually provides meaningful accommodation in contract terms and professional treatment from the executive staff.

The risk of choosing an outsourcing partner that is too small, however, is that they may not have a sufficient level of technical capabilities, skilled staff, certifications or experience to deliver what you hope to accomplish.

Local Presence with Global Delivery

If your company is based in North America, then choose an outsourcing partner whose headquarters are there. They will better understand your industry, business model, goals and processes since you are working within a similar cultural context.

Your company also benefits from local contractual protections should your project hit a serious speed bump. It also provides the distinct possibility that they can provide onsite staff at your site, which improves communication and timely escalation of critical issues.

However, vendors that also provide delivery from offshore will save you money. Furthermore, vendors with a global presence could directly interact with your own global sites and offer the possibility to add shifts in other time zones that work collaboratively with your local staff, which provides you with 24-hours a day of development.

Consistency in Quality and Delivery

Until recently, the majority of IT outsourcing firms sold themselves mainly on cost and based contracts on hourly rates. These days, more companies compete on their ability to produce results. Those results should include both timely delivery and measurably high-quality products or services.

During your due diligence, evaluate the vendor’s past work and pursue references to gauge how well the vendor has delivered on their promises. Have a detailed discussion with their senior staff about how their corporate culture reinforces the importance of on-time delivery and high quality throughout the ranks.

When you are convinced they will deliver what they say they will, it is still prudent to start the relationship with one or more smaller projects of a few months in duration to validate their work and timeliness for yourself.

Communication Capabilities

Well-planned, thorough and frequent communication is critical when using an IT outsourcing partner. This goes double if the company you select has offshore resources, since both time and language may present communication barriers.

How much, when and how you each of you communicates with the other should be driven by the client. Both sides must identify primary contacts for specific areas. These people must have seconds in cases where the primary is unavailable. Daily meetings with program and development managers are not unreasonable as are weekly meetings with BDMs or department managers. To gauge frequency, ask yourself how much time you can afford to lose should a process go astray.

Vendors uncomfortable with your communication plan should raise a red flag with you, since this is such an essential element in your business relationship.

Their Range of Skill Sets

Except for the largest IT organizations, most companies do not have all the personnel with all the right skill sets for every project. When evaluating outsourcing partner’s technical and process capabilities, strike a balance between broad and deep skills that align with your business and project needs.

If you hope for the vendor to work on more than one type of project or you wish to establish a long-term relationship, then one with a broader range of skills may work out better in the long run. A possible drawback is that a project comes along that is a mismatch for the vendor’s skills and quality suffers.

Many enterprises today recognize that one size does not fit all, especially when working with small to mid-size IT outsourcing companies, so they choose to multi-source these services. This can complicate internal management of vendors, but often the point solutions that smaller vendors provide are of higher quality, with faster delivery and at the same or lesser cost.

Conclusion

Proper selection of an IT outsourcing vendor will significantly augment your company’s strategy and operations. Lack of due diligence, however, often leads to negative consequences plus lost time and money.

Use the selection criteria above along with a robust process comparing business requirements against each company’s pros and cons. This will lead to asking the right questions and building a seamless working relationship with a talented development provider.

The Optimus Information model is designed to allocate the right mix of local and offshore resources in order to optimize expertise, speed and cost. We provide the ability for development teams to quickly add specialty skills to a development team without incurring long-term costs.Our successful track record speaks for it’s self, and we love to share past work we’ve done. Our global team is made up of a diverse range of experienced professionals, allowing us to work on complex solutions requiring a wide variety expertise. The result for our customers is the capability to far better manage resource capacities and outcomes.

Contact us if for your next IT project. We’re always happy to help.

Contact us now

(Note: This blog has been updated with new information)

Top Ten Software Development Outsourcing Trends for 2020

What are the Top Ten Software Development Outsourcing Trends for 2020?

Originally, the primary motivation to outsource software development was to achieve lower labor costs, but continuing and emerging business and technology trends in 2016 are leading to new client requirements on outsourcers. When choosing an outsourcing partner, more and more businesses are looking for closer alignment to their business goals, flexibility demands and quality requirements.

Thus, clients are evaluating outsourcing companies via increasingly sophisticated criteria. The smartest software providers are reciprocating by developing new service models while taking advantage of many of the same technologies driving these current trends.

1) Moving from Hours to Results

In order to ensure that enterprises are getting what they need for their money, most are now seeking out providers who operate on a results-driven model versus rates based on time. Furthermore, clients are demanding that payment schedules be based on satisfactory achievement of those results versus upfront fees or retainers.

2) Greater Flexibility

Clients are looking for providers who provide on-demand services without locking them into long-term contracts or volume commitments. This enables client companies to respond more efficiently to rapidly changing market demands. In response, development providers who are moving operations to cloud resources are the ones most likely to adapt to the increased demand for flexibility.

3) Utilization of DevOps Practices Continues Apace

DevOps continues to attract adherents as it goes mainstream in up to 25 percent of companies this year, according to Gartner. Most of the IT departments in these organizations are transitioning to a service center model. Service providers who already operate in this manner will more easily blend into these organizations’ processes and decision-making apparatus.

4) Security Risk Perception Increases

A key concern within any outsourcing strategy is security. With the growing presence of the Internet of Things and the potential for an exponentially larger attack surface, software development outsourcing companies must ensure that their own security vulnerabilities are addressed in a manner that will win the confidence of client decision makers. Demonstrating solid track records and establish policies is of high importance when selecting a vendor.

5) Managing Infrastructure as Code

Amazon’s AWS has enabled the application of software development change management systems to development and deployment infrastructure. AWS is dedicated to making this paradigm increasingly easier with new APIs and services. Outsourcers who adopt this practice are reaping large benefits in their software support, testing and deployment efficiency by synching servers, storage and networking infrastructure to precise versions of the source code.

6) Multi-Sourcing Technologies Impacts Integration

Client companies are utilizing a more complex mix of software products and services this year. This multi-sourcing of technologies presents in-house management challenges, and a rise of new vendor management offices. The challenge for software providers is meeting new performance and integration standards from VMOs. Compliance failure may result in the outsourcer being dropped in the interests of streamlining operations.

7) Business Process Outsourcing Being Replaced by Robotic Process Automation

The software outsourcing industry in 2016 will continue to feel the influence of the rise of RPA. In fact, one of RPA’s touted benefits is the reduction of outsourcing, especially via cloud-based RPA services. Those outsourcers who can adapt by offering relevant automated services in the most responsive, scalable and efficient manner are the ones who can survive and profit from this trend.

8) Outsourcing Selection is Speeding Up

Along with the adoption of agile methodologies within software development, business decisions are also being made with more agility and higher velocity. Outsourcers will increasingly recognize this trend as more clients endeavor to close smaller deals faster in order to stay ahead of their competition.

9) Adept Companies Are Being More Selective with What They Outsource

Many organizations who originally turned to outsourcing to compensate for a lack of internal expertise and resources have grown more sophisticated over time. They are progressively learning to be more selective regarding what to do in-house versus handing off to an outsourcing provider. Organizations are looking deeper into what their core competencies are. And what they can outsource to make themselves more efficient in-house. Their motivations are usually the desires for greater flexibility, responsiveness or cost reductions. All of which software providers need to be sensitive to in contract negotiations.

10) Outsourcing Company Accommodation Increasing

It is no longer the case that companies seek out only the lowest cost provider. Sophisticated outsourcing companies will respond tactically and strategically to all the trends discussed here to grow or to survive. This trend is seen in the greater tendency for outsourcers to adapt and adjust terms or offer new services in an effort to deliver the best product and service.

Conclusion

The outsourcing industry is more fluid than ever this year with clients focusing less on price per se and more on results, quality, integration, security and agility from software development providers. As you adapt to your own fast-moving markets and the rise of paradigm-shaking technologies such as IoT and on-demand infrastructure, so do we. Optimus stays two steps ahead in order to support your business in all your software and IT requirements.

At Optimus, we consistently stay on top of these trends while leveraging the forces driving them to bring you the solutions you need. Contact us to help with your next development, testing, cloud, BI or mobile project.

info@optimusinfo.com
604-736-4600

(Note: This post has been updated with new information)