the outsourcing curse strikes again!!
-
we pay them to deliver a web product security of which is an integral part. It shouldn't even need stressing on, if they have a better idea then communicate not silently go in and do crappy work!
I have seen some students while I was in university, they used to do out-source through other companies. The problem is, those university student has very little idea about security, because they know how to do javascript and html and other programming language, but security is more related with experience. The experience is not only gathered from year of working experience also working with the people who knows about it. When you outsource your work you give it to some company in some country but you don't look at their setup. You really don't know how much they care about your security. I am not telling you to do out-source. I am telling you to rethink how you would give your precious system to be developed by some company you barely know.
-
Last week we came across a serious security flaw in our soon to be released major web product that we had trusted the offshore partner (one the largest Indian IT firms) with. This happened despite clear guidance as to how to implement the security in the product which uses Silverlight and ASP.NET. They completely disregarded what was told and came up with a weird crazy arse lame mechanism of their own which led to the password being sent in a cookie merely as an ASCII valued string along with the login request!!! This is a cardinal sin, this is something you study in Web Security 101, totally unacceptable. Now, we can't just lay them off and bring all the work back onshore, the business financials don't probably allow for it. But it leads me to wonder whether outsourcing at all is worth the money spent or not? I know some of you may say, "you get what you pay for!!" but when a company boasts claims of excellence in delivery of solutions, I would atleast expect them to understand what web security is and what's the right way to do it. In my opinion all these cheap outsourcing companies are just that - CHEAP both in terms of money and quality. I m pretty sure many around here must have similar stories to tell.
I too was forced to work with an off-shore Indian company. I was explaining to them that the file was binary. Someone spoke up and said "I looked at the file and it's not binary as it contains more than ones and zeros." Things did not get better from there!
<>
-
I too was forced to work with an off-shore Indian company. I was explaining to them that the file was binary. Someone spoke up and said "I looked at the file and it's not binary as it contains more than ones and zeros." Things did not get better from there!
<>
-
I too was forced to work with an off-shore Indian company. I was explaining to them that the file was binary. Someone spoke up and said "I looked at the file and it's not binary as it contains more than ones and zeros." Things did not get better from there!
<>
That probably was the moment you realized that there still was a long way ahead of you :) What did the file contain? Hexadecimal? :) Our intern said almost the same when I showed him a hex dump for the first time. At the beginning it seems to be hard to see any connection between those hex numbers and binary. The kids get their heads stuffed full of high level languages and how to write pretty source code. And they are told that the great modern compilers take care of the dirty work better than they ever will. It took some time for him to realize that the true magic is happening at that level. :)
At least artificial intelligence already is superior to natural stupidity
-
I too was forced to work with an off-shore Indian company. I was explaining to them that the file was binary. Someone spoke up and said "I looked at the file and it's not binary as it contains more than ones and zeros." Things did not get better from there!
<>
Either you made it up or those guys were really that ignorant! :D
-
Either you made it up or those guys were really that ignorant! :D
-
Last week we came across a serious security flaw in our soon to be released major web product that we had trusted the offshore partner (one the largest Indian IT firms) with. This happened despite clear guidance as to how to implement the security in the product which uses Silverlight and ASP.NET. They completely disregarded what was told and came up with a weird crazy arse lame mechanism of their own which led to the password being sent in a cookie merely as an ASCII valued string along with the login request!!! This is a cardinal sin, this is something you study in Web Security 101, totally unacceptable. Now, we can't just lay them off and bring all the work back onshore, the business financials don't probably allow for it. But it leads me to wonder whether outsourcing at all is worth the money spent or not? I know some of you may say, "you get what you pay for!!" but when a company boasts claims of excellence in delivery of solutions, I would atleast expect them to understand what web security is and what's the right way to do it. In my opinion all these cheap outsourcing companies are just that - CHEAP both in terms of money and quality. I m pretty sure many around here must have similar stories to tell.
-
Last week we came across a serious security flaw in our soon to be released major web product that we had trusted the offshore partner (one the largest Indian IT firms) with. This happened despite clear guidance as to how to implement the security in the product which uses Silverlight and ASP.NET. They completely disregarded what was told and came up with a weird crazy arse lame mechanism of their own which led to the password being sent in a cookie merely as an ASCII valued string along with the login request!!! This is a cardinal sin, this is something you study in Web Security 101, totally unacceptable. Now, we can't just lay them off and bring all the work back onshore, the business financials don't probably allow for it. But it leads me to wonder whether outsourcing at all is worth the money spent or not? I know some of you may say, "you get what you pay for!!" but when a company boasts claims of excellence in delivery of solutions, I would atleast expect them to understand what web security is and what's the right way to do it. In my opinion all these cheap outsourcing companies are just that - CHEAP both in terms of money and quality. I m pretty sure many around here must have similar stories to tell.
God bless the Indian Firms. I have made $1000s of dollars "fixing" and making legal, code generated overseas. For 10 years, it was my bread and butter. The upfront cost of doing business with Indian shops is cheaper up front but the costs rise rapidly when the company has to hire me.
-
Last week we came across a serious security flaw in our soon to be released major web product that we had trusted the offshore partner (one the largest Indian IT firms) with. This happened despite clear guidance as to how to implement the security in the product which uses Silverlight and ASP.NET. They completely disregarded what was told and came up with a weird crazy arse lame mechanism of their own which led to the password being sent in a cookie merely as an ASCII valued string along with the login request!!! This is a cardinal sin, this is something you study in Web Security 101, totally unacceptable. Now, we can't just lay them off and bring all the work back onshore, the business financials don't probably allow for it. But it leads me to wonder whether outsourcing at all is worth the money spent or not? I know some of you may say, "you get what you pay for!!" but when a company boasts claims of excellence in delivery of solutions, I would atleast expect them to understand what web security is and what's the right way to do it. In my opinion all these cheap outsourcing companies are just that - CHEAP both in terms of money and quality. I m pretty sure many around here must have similar stories to tell.
...and they probably got the coding idea by posting a question on Code Project asking 'can someone give me code to....'
-
Last week we came across a serious security flaw in our soon to be released major web product that we had trusted the offshore partner (one the largest Indian IT firms) with. This happened despite clear guidance as to how to implement the security in the product which uses Silverlight and ASP.NET. They completely disregarded what was told and came up with a weird crazy arse lame mechanism of their own which led to the password being sent in a cookie merely as an ASCII valued string along with the login request!!! This is a cardinal sin, this is something you study in Web Security 101, totally unacceptable. Now, we can't just lay them off and bring all the work back onshore, the business financials don't probably allow for it. But it leads me to wonder whether outsourcing at all is worth the money spent or not? I know some of you may say, "you get what you pay for!!" but when a company boasts claims of excellence in delivery of solutions, I would atleast expect them to understand what web security is and what's the right way to do it. In my opinion all these cheap outsourcing companies are just that - CHEAP both in terms of money and quality. I m pretty sure many around here must have similar stories to tell.
We had an Indian company taking our code and converting it. In our initial discussions I stated two architectural requirements and they later stated I never said them!!! Then they said that they wanted more money due to meeting my specs. So when we had our next big meeting I gave them the requirement of 300 txn per second and would not let the Indian move away from the subject until he wrote it down on the board as a requirement. (he tried to pass over it stating that it was "standard" or some kind of bull cookie)