|
we pay them to deliver a web product security of which is an integral part. It shouldn't even need stressing on, if they have a better idea then communicate not silently go in and do crappy work!
|
|
|
|
|
I have seen some students while I was in university, they used to do out-source through other companies.
The problem is, those university student has very little idea about security, because they know how to do javascript and html and other programming language, but security is more related with experience. The experience is not only gathered from year of working experience also working with the people who knows about it.
When you outsource your work you give it to some company in some country but you don't look at their setup. You really don't know how much they care about your security.
I am not telling you to do out-source. I am telling you to rethink how you would give your precious system to be developed by some company you barely know.
|
|
|
|
|
gladiatron wrote: must have similar stories to tell
Oooohhhhhhh yeah.... I know exactly what you are talking about.
Our "partner" was once tasked with building a very simple dialog based application consisting of a listbox and a couple of radio buttons. The app simply had to list files in a directory and write to a text file. They tried to tell us back here that it would take them a full month to write this application. A week just to do the UI! After 4 days of telling them that they are wrong, I wrote the entire thing in 2 days.
Why is common sense not common?
Never argue with an idiot. They will drag you down to their level where they are an expert.
Sometimes it takes a lot of work to be lazy
Please stand in front of my pistol, smile and wait for the flash - JSOP 2012
|
|
|
|
|
I guess you had a very bad experience of Mis-management.That sort utilities could not take that much longer time.Either the guys are trying to mint you or the team is lazy
Sastry
|
|
|
|
|
Sastry_kunapuli wrote: trying to mint
We heard from one of the guys after we severed our relationship with the company. The management over there was directing the employees to do everything that they could get as much money out of our company without actually producing anything.
Why is common sense not common?
Never argue with an idiot. They will drag you down to their level where they are an expert.
Sometimes it takes a lot of work to be lazy
Please stand in front of my pistol, smile and wait for the flash - JSOP 2012
|
|
|
|
|
Told you they are trying mint you guys out.After all the employee could not do anything better than what his management orders to do.Anyways all the teams of the company are not so,some of them are really good in delivering the work without getting back a remark from customer.
Sastry
|
|
|
|
|
So, if they didn't meet the terms of the contract, don't pay them until they do. If your contract failed to specify that they must follow your instructions in this regard, shame on you.
Currently reading: "The Prince", by Nicolo Machiavelli
|
|
|
|
|
When you outsource you have to be aware of cultural differences.
In India, close enough is good enough. So when you complain there heads start nodding in typical Indian fashion. They honestly don't understand what the problem is.
Ukrainians don't always deliver what you ask either. There response can be "That stupid, we do it this way". So don't expect them to read between the lines of your SRS.
Chinese it's a communication issue. There language is so different to ours, your request may not translate.
I would never outsource mission critical work to India. The Ukraine is a lot better place to go. China is also good but definitely don't give them the big picture. You may end up funding the development costs of a new competitor.
"You get that on the big jobs."
|
|
|
|
|
I'm sorry to point out that in INDIA close enough is never good enough,until they have very little time to put all the business requirements into action or the problem is really understated in one line "Security has to be enabled".
No offence meant.
P.S.: I'm a INDIAN and I never settled for anything less than perfect in my development if it means I have to defy project time lines set for completing the task.
Sastry
|
|
|
|
|
Sastry_kunapuli wrote: the problem is really understated in one line "Security has to be enabled".
well, the solution architects on our side drew the exact picture for them on what is expected and how, so the spec was in no way "understated". I think the real problem is they don't see our vision at the same level as we do, its not their baby, they don't care. Their job is to take payments, deliver half-baked stuff and charge more money for fixing defects they introduced in the first place. I am not implicating all the developers in India, I am sure there are brilliant ones that come at nearly the same cost as an onshore programmer that we would hire. But assuming that these "top" companies will do a top job (well, coz they are "top"), we trust them a little too much. The problem is most of these "top" offshore companies, as I have learned, hire fresh graduates by the thousands many of who lack appropriate soft skills i.e. time management, communication, sense of ownership for the task given, passion for the field of work etc. I have been told that 8 out of 10 so called engineers are only in IT for the money which obviously is plenty for Indian standards and an onsite trip which they seem to love. This kind of culture proliferates a lot of "wanna-bes" that can only ever produce low quality work.
Sastry_kunapuli wrote: No offence meant.
None taken
|
|
|
|
|
Don't go by the name,you could get very good people from companies whose names are un-heard of,or the other category from companies that are "Top".My suggestion if the next time you are offshoring some work do not go by the company name but have a good interaction with the team that is working on the specs and if they are not upto the mark as a customer I think you have the privilege of getting a new team(not sure though) and do not settle for something less.every $ is valuable.
Sastry
|
|
|
|
|
Its a reoccurring compliant I hear time and time again about off-shoring to India. Funnily enough it's not a reputation that applies to ex-pat Indians. If anything, its the opposite.
"You get that on the big jobs."
|
|
|
|
|
I was a part of the Offshore team once.Trust me not all are security experts.After you have mentioned that security is a big deal in the application and that has to be taken care of,all I can say is only one thing there are hardly any security experts in the team that the work has been delivered to.Since majority of persons who manage the projects look for people who can do DB and UI work so they ignore the fact that in web application security is critical.Well out of my experience in working with a few large IT firms in INDIA,the more they look for is all the test cases executed and has client not come back with any defects.So I would suggest to mark it as a defect and then they would get the right persons to do the job.In this case most of the web app security is done by experts in Onsite and then the DLL is sent back to be used by the team at offshore.So offshore has no idea how it gets implemented.
All the team members in offshore cannot tell which of MD5 or SHA1 is more secure for hashing.So my suggestion would be next time you are looking up for people in offshore to work on projects for security,look up their project profiles to see if they done anything of that sort previously or not.I hope you would get a chance to look at the profiles of the team before they get to start work on projects,if not you can always request for the profiles before hiring and they must provide that if it is one of the top companies.
Sastry
|
|
|
|
|
As a rule of thumb never outsource critical parts of an application. Outsourced teams are there to do the grunt work; keep anything critical in house to be worked on by domain experts.
This is not to say that outsourced developers are any better or worse than onshore developers; it's simply a lot easier to manage an onshore team than one that is thousands of miles away, in a different time zone and with cultural differences that are not always obvious.
"If you think it's expensive to hire a professional to do the job, wait until you hire an amateur." Red Adair.
nils illegitimus carborundum
me, me, me
|
|
|
|
|
I too was forced to work with an off-shore Indian company.
I was explaining to them that the file was binary.
Someone spoke up and said "I looked at the file and it's not binary as it contains more than ones and zeros."
Things did not get better from there!
<>
|
|
|
|
|
That was the Best Joke I ever heard and by the way who is the computer genius
Sastry
|
|
|
|
|
|
Either you made it up or those guys were really that ignorant!
|
|
|
|
|
I promise it really happened! After that I had to explain why the output from my 10-bit A/D was being sent 16-bits. That didn't go any better.
<>
|
|
|
|
|
We've picked up quite a bit of work from clients who've had enough of the crap that outsourcing companies produce.
|
|
|
|
|
God bless the Indian Firms. I have made $1000s of dollars "fixing" and making legal, code generated overseas. For 10 years, it was my bread and butter. The upfront cost of doing business with Indian shops is cheaper up front but the costs rise rapidly when the company has to hire me.
|
|
|
|
|
...and they probably got the coding idea by posting a question on Code Project asking 'can someone give me code to....'
|
|
|
|
|
We had an Indian company taking our code and converting it. In our initial discussions I stated two architectural requirements and they later stated I never said them!!! Then they said that they wanted more money due to meeting my specs.
So when we had our next big meeting I gave them the requirement of 300 txn per second and would not let the Indian move away from the subject until he wrote it down on the board as a requirement. (he tried to pass over it stating that it was "standard" or some kind of bull cookie)
|
|
|
|
|
Uhm, well Microsoft certainly does not want to duplicate code. This is a dotPeek disassmbly the framework reference source code of a .NET 4.0 Tuple helper class
public static class Tuple
{
internal static int CombineHashCodes(int h1, int h2)
{
return (h1 << 5) + h1 ^ h2;
}
internal static int CombineHashCodes(int h1, int h2, int h3)
{
return Tuple.CombineHashCodes(Tuple.CombineHashCodes(h1, h2), h3);
}
internal static int CombineHashCodes(int h1, int h2, int h3, int h4)
{
return Tuple.CombineHashCodes(Tuple.CombineHashCodes(h1, h2), Tuple.CombineHashCodes(h3, h4));
}
internal static int CombineHashCodes(int h1, int h2, int h3, int h4, int h5)
{
return Tuple.CombineHashCodes(Tuple.CombineHashCodes(h1, h2, h3, h4), h5);
}
internal static int CombineHashCodes(int h1, int h2, int h3, int h4, int h5, int h6)
{
return Tuple.CombineHashCodes(Tuple.CombineHashCodes(h1, h2, h3, h4), Tuple.CombineHashCodes(h5, h6));
}
internal static int CombineHashCodes(int h1, int h2, int h3, int h4, int h5, int h6, int h7)
{
return Tuple.CombineHashCodes(Tuple.CombineHashCodes(h1, h2, h3, h4), Tuple.CombineHashCodes(h5, h6, h7));
}
internal static int CombineHashCodes(int h1, int h2, int h3, int h4, int h5, int h6, int h7, int h8)
{
return Tuple.CombineHashCodes(Tuple.CombineHashCodes(h1, h2, h3, h4), Tuple.CombineHashCodes(h5, h6, h7, h8));
}
}
So... when you want to have a hash for a Tuple of 8 values, you get 7 function call overhead on a stack. Nice...
Greetings - Jacek
modified 18-Apr-12 18:19pm.
|
|
|
|
|
Yikes!
Attempting to load signature...
A NullSignatureException was unhandled.
Message: "No signature exists"
All of the books in the world contain no more information than is broadcast as video in a single large American city in a single year. Not all bits have equal value.
Carl Sagan
|
|
|
|