Monday, January 17, 2011

Are SaaS Software Products Secure?

Software delivered over the Internet is exposed to increasing threats to confidentiality, integrity, and availability. SaaS implementations have an even greater exposure than single-customer deployments. Some analysts have estimated that as many as 90% of all Web-accessible commercial applications have security vulnerabilities. What can and should be done to minimize security vulnerabilities of a SaaS software product?

Security for SaaS software products must be addressed along the following dimensions.

  • Threat sources, both intentional (malicious probes, floods, spoofing, etc.) and inadvertent (identification, authorization, boundary violations, etc.). In a SaaS environment, an intentional threat can wreak great havoc because multiple customers are sharing the same code and database. Additionally, inadvertent threats become much more likely, such as one customer gaining access to another customer’s data.
  • Phase of vulnerability introduction, the steps in a software development lifecycle, including requirements, design, source code development, object code creation, deployment, operations, and maintenance. SaaS development requires re-thinking an application’s and database’s architecture from the ground up to insure isolation and confidentiality. Ongoing operations and maintenance processes must be designed to ensure new vulnerabilities are not introduced.
  • Target of threat, including account information, application processes, data, code modules, and infrastructure. Each component of an application is more at risk in a SaaS deployment because of its shared-use nature.

This means that security must be “built in” to a SaaS software product from the beginning. Threats and vulnerabilities must be understood and be the basis of the security requirements of a SaaS software product. The development process must ensure that the product is architected and designed to meet the security requirements, that development and testing practices and tools ensure the security requirements are met, and that the execution environment has been designed and implemented to meet security requirements.

Are you developing a secure SaaS software product?

Monday, January 3, 2011

Top 4 Reasons to Outsource Software Product Development

If you think I am going to say the number 1 reason to outsource software product development is cost savings, you are WRONG! It’s not that you won’t achieve cost savings, but it should not be the main reason you outsource. If all you want is a “cheap” solution, just remember the old adage “You get what you pay for.”

Choosing to outsource software product development is a complex decision which includes target market needs (particularly around speed to market), core vs non-core product development, skills of current development staff, ability to hire key skills, and many other factors.

Based on my experience outsourcing software product development and providing outsourced software product development services, I believe the following are the top 4 reasons for outsourcing software product development.

  1. You need to quickly adapt to new technology but don't have the skills in-house. For example, with the advent of smart mobile devices, your users may demand that they be allowed to access your software product via a mobile device. Or, you may need to transform your product from an on-premise product to a SaaS product. But, you don't have the skills in-house to do this.

  2. You have a rapid growth plan that includes developing and releasing new software products at a more rapid pace than ever before. This may require putting new teams together quickly to address the new demand on product development.

  3. You are unwilling or unable to find enough staff with the appropriate skills in your local market. For example, you may need to ramp up a team of 5-10 developers in 2 weeks. That is usually very difficult in any local market (particularly the 2 week requirement).

  4. Your product development needs require flexible staffing. For example, you may need an extra team for a few weeks at a time, but not all the time or you foresee needing an extra team for only a few months.

Our most successful outsourcing clients cited at least 2 of the above reasons as their primary impetus for outsourcing their software product development. I'm interested in hearing other reasons for outsourcing software product development. Let me hear from you.