Wednesday, April 30, 2008

Market Spotlight: Indian outsourcing firms

Source : Click

Indian outsourcing firms are feeling some pain from weak dollar

The outsourcing of technology jobs has been a lucrative and controversial trend over the past 10 years. But with the dollar declining against foreign currencies, it's getting more expensive for U.S. firms to pay for foreign labor, a factor that has increasingly become a source of concern for Wall Street analysts.

According to Janney Montgomery Scott analyst Joseph D. Foresi, outsourcing is based almost solely on labor arbitrage; if U.S. companies can hire labor cheaper in India and other developing countries, they will continue to take their business there.

"So far, there has been a pinch on margins for U.S. companies, but it is still less expensive for them," he said.

There has even been some relief as the rupee depreciated against the dollar during the quarter ended March 31, making it more affordable for U.S. companies to hire Indian firms. A drop in the rupee's value has not come fast enough for Satyam Computer Services Ltd., one of India's largest technology outsourcing companies. Its U.S.-traded shares fell more than 5 percent April 22 after the company reported fiscal fourth-quarter profit below Wall Street expectations.

Goldman Sachs analyst Thomas Quinteros said that "rapid appreciation of the Indian rupee" has been one of the key risks for Satyam Computer Services Ltd., one of India's largest technology outsourcing companies. Satyam last week reported fiscal fourth-quarter profit that missed Wall Street estimates.

The results were not that surprising -- in February, Satyam's chairman said he expected "significant implications" from the U.S. economic downturn for Indian outsourcing companies.

The majority of Satyam's sales are from the U.S. The company provides data-warehouse, systems integration, software development and other information technology services to General Electric, the U.S. government and other major clients.

Banc of America Securities analyst Abhishek Gami said the stock has been a strong performer but fundamental gains may be difficult because of the weak dollar, wage inflation and the need for expansion beyond the U.S. market.

Gami acknowledged the newly weakened rupee has "turned into a tailwind" for Indian companies.

"Though the rupee depreciation is not significant enough to deliver major margin upside, at least...offshore vendors have been saved from this source of margin headwind," he said.

While the rupee stabilized in the last quarter , the weak U.S. economy is also bad news for U.S.-reliant outsourcing businesses like U.S-traded Wipro Ltd., which includes General Motors, Sony, and communications company Nortel among its customers.

According to Wachovia Securities analyst Edward S. Caso, Wipro is expecting muted growth in the first half of fiscal 2009 because of ongoing U.S. economic turbulence. A customer has already canceled a major project while other customers have said they want to defer projects.

While both Satyam and Wipro are hoping to ride out any rupee appreciation and the U.S. economic weakness, they are hoping for a turnaround later this year or 2009.

Wipro management has, says Caso, "emphasized the pause nature of new business, not its elimination."

Tuesday, April 29, 2008

Internet Crime Transforms into Mature Business

Source : Click

Pack up the image of the lone hacker. Internet crime is highly organized -- outsourcing complex work and using sophisticated pricing, like bulk discounts for stolen credit cards.

If you still view the Internet as a kind of Wild West where colorful rogues and small bands of outlaws try to damage or invade personal computers -- you're not only way behind the curve, but may be putting yourself and your business at risk. Internet crime has evolved not just into a mature and sophisticated industry, but also into a global network that has its own underground economy, specialties and infrastructure, Symantec reports in its latest Internet Security Threat Report.

What should be particularly worrisome to legitimate businesses is a shift in tactics. Rather than targeting computer networks, which have strengthened defenses considerably, Internet criminals now try to get to individual computers and customers of Internet services and sites with Web-based attacks. One reason: Few Web sites address their vulnerabilities, and the few that do, react slowly. "Of 6,961 site-specific vulnerabilities in the first six months of 2007, only 330 had been fixed at the time of writing," Symantec reports.

Once these vulnerabilities have been exploited, attackers can then zero in on individual users. "Symantec has also observed that attackers are particularly targeting sites that are likely to be trusted by end users, such as social networking sites. ... Attackers targeting trusted sites can also steal user credentials or launch mass attacks because they may allow attacks to propagate quickly through a victim's social network," the report warns. And as information is picked up, it is bundled and sold on servers that help this black market flourish and grow -- often priced according to demand and value. Information to verifiably high-value accounts fetches more than just generic bank accounts, for example.

Attackers are proving intensely resourceful and adaptive. Code threats have increased dramatically, apparently because criminal organizations now hire software specialists to churn out malicious code so they can constantly remain ahead of efforts to defend against attacks. And they have physical mobility, too. "Malicious groups are actively anticipating and planning for the need to adapt on the fly -- including the deployment of back-up servers to which they can turn when law enforcement agencies or ISPs threaten to shut down existing operations," the report says.

Symantec is also warning that the coming presidential elections will provide scammers an opportunity to exploit and target political and campaign Web sites. That will be explored in a separate Kiplinger Recommends feature next week.

Monday, April 28, 2008

New Book for IT Professionals Features 20 Alternative Careers Highly Insulated From Offshore Outsourcing

Source : Click

With offshore outsourcing increasing and the U.S. economy in a recession, computer professionals are seeing fewer opportunities in the IT job market. Some are considering a career change from IT, but concerned about wasting their investment in their education and experience. That concern should be dispelled by "Debugging Your Information Technology(TM) Career" (Elegant Fix Press -- http://www.elegantfixpress.com), a book demonstrating that computer professionals can leverage their experience to enter many fields other than traditional information technology careers, while reducing or eliminating their vulnerability to offshoring.

Janice Weinberg, the author, is a career consultant (http://www.janiceweinberg.com) formerly with IBM and GE, whose background as a systems programmer and application developer enabled her to identify the 20 careers she describes. While most of them aren't usually thought of as computer-related jobs, computer proficiency is a key qualification for success in each. For example:

     -- A business analyst or software developer who guided finance and/or
sales staff in defining their information technology requirements
could become a global procurement project manager supporting those
functions.
-- A software architect's knowledge of best practices in systems design
would be a strong asset in a technology due diligence position.
-- A network security administrator's experience would be quite valuable
in a cyberliability insurance broker or underwriter role.
-- An IT professional's ability to assess the commercial potential of new
computer technology would be a highly desirable qualification in a
technology sector equity analyst candidate.

Most of the careers can be entered without further education beyond a BS in information technology, management information systems, or computer science. Several require a certification. Some readers may be motivated to become an attorney specializing in computer law. Many of the fields can be springboards for consulting practices -- or new revenue streams for those already employed as computer consultants or contract programmers. New graduates with computer-related degrees and students excelling on computer skills assessment tests will realize that the opportunities accessible to them go well beyond those typically associated with information technology and computer science jobs.

    As Weinberg describes each career, readers will:

-- Be able to imagine themselves in the field by reading the hour-by-hour
Typical Workday
-- Understand the degree to which a recession can affect job security,
and learn strategies for minimizing or avoiding any negative impact
-- Learn the extent to which offshoring is already happening, and what
the field's future vulnerability will likely be

Readers will learn job-hunting techniques tailored to specific fields, including guidance in identifying employers and determining the most relevant aspects of their experience to highlight in their resumes, cover letters, and interviews.

While there are many books providing IT career advice, Weinberg's gives new -- and much broader -- meaning to the term "computer job," demonstrating that an IT professional's knowledge constitutes precious currency in a world dependent on computer technology.

Friday, April 25, 2008

Time to outsource government services

Source : Click

A HUGE crowd and long queues greeted Prime Minister Datuk Seri Abdullah Ahmad Badawi when he made a surprise visit to the Immigration Department headquarters in 2003, days after he assumed the premiership. The visit was to emphasise his pledge to reduce bureaucratic red tape, improve delivery of government services and strengthen the public sector’s implementation machinery.

“To ease, not to burden; to simplify, not to complicate” was the message of the Prime Minister to government officers.

Some significant improvements have been achieved in the past three years.

Before, renewing passports took two weeks. Now it takes only one hour at selected immigration offices under a pilot scheme that will be extended nationwide later.

Within Kuala Lumpur city, you don’t have to fill up numerous forms and go through endless red tape just to renovate your kitchen. City Hall has introduced the first e-application called the Building Control System which allows a house owner or contractor to fill in and submit online forms.

Suppliers and contractors who used to complain about late payments from the government can now get their money within two weeks of submitting their bills, if the documents are complete and non-disputable.

Chief Secretary to the Government Tan Sri Mohd Sidek Hassan has stated with pride that over 90 percent of payments by the Prime Minister’s Department were made within a week.

The Construction Industry Development Board has reduced processing time for all applications from contractors to 30 days from 60 previously. Fourteen different licences for the hotel industry have been streamlined into one.

Many administrative and systems reforms have been implemented and they provide online registrations, less paperwork and shorter processing time.

The public has acknowledged the improvements. An independent survey by a research organisation last year found about 60 percent of the respondents having experienced improved government services.

That’s the good news.

The bad news is that the government has only scratched the surface in trying to reform its ponderous delivery machinery. The big problem is implementation.

Recent statements by high-level people highlighted this concern.

The Prime Minister ordered Mohd Sidek to set up a task force to speed up procedures that are slowing foreign investments and giving Malaysia a bad name everywhere.

A leading corporate figure will be roped in to help drive the task.

Sarawak State Secretary Datu Wilson Baya Dandot early this week blamed red tape at the federal ministerial level for contributing to the delay in the implementation of projects and processing of payments to contractors in the state.

During a briefing for the visiting Mohd Sidek in Kuching, Baya said many processes have to be improved if the government wants to see a swift and efficient delivery system as well as effective project implementation.

“Delays in the delivery system will result in wastage and higher costs,” he added.

Congress of Union of Employees in the Public and Civil Services (Cuepacs) Sarawak chairman William Ghani singled out poor planning as among the main causes of the troubled public delivery system.

He said the Public Service Department (PSD) should plan ahead and not leave important posts vacant for long periods which could stall the system.

“We have heard of schools or departments having no immediate replacements when the principals or directors retire, and without people to make decisions, the delivery system would naturally suffer,” he said.

Education Minister Datuk Seri Hishammuddin Tun Hussein took a tough stand by reminding his staff to ‘shape up or ship out’ in implementing the National Education Blueprint which he launched this month.

Tourism Minister Datuk Seri Tengku Adnan Tengku Mansor claimed dishonest officers in a government department were ‘messing up’ the Malaysia My Second Home programme to attract well-heeled foreigners to settle in the country.

Then came the PSD’s threat to take the unusual and drastic step of publishing in newspapers the names of government officers who go absent without leave.

Apparently, these officers have been busy with their side businesses and personal problems or simply unable to work because they are high on drugs.

Bad civil servants can frustrate the government’s best intentions and most innovative initiatives.

An efficient and effective public service delivery system is key to the country’s competitiveness. The speed with which the public sector serves the private sector determines the speed, efficiency and effectiveness of our corporations.

Although the Institute of Management Development (IMD) in Switzerland ranked Malaysia 23rd among 61 countries in the 2006 World Competitiveness Index, bureaucratic red tape continues to discourage investors from moving their operations and money into the country.

Infosys Technologies Ltd, India’s leading software exporter, revealed during a briefing for Deputy Prime Minister Datuk Seri Najib Tun Razak at its head office last year that the company had picked Kuala Lumpur for an information technology centre but it was forced by bureaucratic hurdles to move the investment to another country instead.

The World Economic Forum, in its 2006 worldwide competitiveness ranking, placed Malaysia 101st among 117 countries on the issue of government red tape hindering economic growth.

As the largest service provider in the country, the government has a duty and responsibility to ensure that its services are effective, low cost and fast.

Only such a service delivery system can create a favourable business climate and fulfil the needs of citizens. This in turn will contribute to economic growth and national wellbeing.

However, the structure and character of the civil service make it resistant to change and innovation. Despite denials by its defenders, the civil service is probably home to many ‘malingerers and slackers’, a description used by a national newspaper.

Perhaps it is time for the government to follow the lead of global corporations in outsourcing its services to the private sector wherever feasible.

This method could save operating and salary costs, reduce staffing and raise efficiency. It could even fit in nicely with the government’s proposed introduction of the EPF-style contributory pension scheme for civil servants in the near future which may become a disincentive in attracting new recruits.

Many government services have already been privatised, such as operation of airports, garbage collection and provision of telecommunications, energy and water supply services.

Many more layers of official red tape can be removed by outsourcing more functions to private firms which are more efficient, more motivated and move more quickly.

We have world-class companies that have the skills and track record to handle most types of jobs from the planning stage right down to design and implementation.

One day, we may be able to see private frontline staff manning government departments who not only respond courteously and knowledgeably to enquiries but are eager to offer their assistance.

That will really make our day.

Thursday, April 24, 2008

How to ensure outsourced software development is secure

Source : Click

It depends on who you ask, but Codenomicom of Finland, a provider of software testing tools, reckons that 80% of security problems are caused by programmers writing insecure code. Much of this is the result of development schedules being too tight. Given that software applications contain thousands or even millions of lines of code, it is more than likely that some programming errors are made that could leave the application vulnerable to attack.

The fact that software applications can contain flaws is nothing new. But a recent survey by Quocirca of 250 organisations shows that not only are businesses increasingly relying on bespoke or modified software applications, which they see as critical for their business, but not enough of them are employing automated tools for testing those applications for security vulnerabilities.

Another practice that is increasingly being seen is the outsourcing of code development to third parties. This can be a less costly option than developing the code in-house, especially where a business does not have sufficient resources of its own. But when such an essential process is placed in the hands of a contractor, extra care must be taken to ensure that secure coding practices are used and that applications are thoroughly tested.

Failure to thoroughly police the software development process has far reaching consequences. If a hacker is able to exploit a flaw in the software, they could use it to attack the application in order to steal sensitive personal or organisational information. In today's increasingly regulated world, this is something that can cost organisations dear, not just in terms of the price tag for cleaning up after the attack, but in lost business owing to the negative publicity that is likely to ensue.

But if a flaw is found in software that was developed by a third party, who should bear the responsibility for fixing those errors? If an organisation bought an appliance such as a printer that was found to be faulty, resulting in a fire on its premises, it is in a position to sue the manufacturer and claim compensation. In the same way, liability for faulty software should be pushed to the contractor to which it was outsourced and should be written into the contract.

When outsourcing any business process to a third party, it is essential that a good contract is written and that a watertight service-level agreement is put in place. This is something that some regulations actually mandate when outsourcing application development. For example, the FFIEC (Federal Financial Institutions Examination Council) implementation guide for GLBA (Gramm-Leach-Bliley Act) states that organisations must establish a vendor management programme that includes "establishing security requirements, acceptance criteria, test plans, and reviewing and testing source code for security vulnerabilities." This may be a US regulation, but its impact is being felt by some European organisations as well, and there are a host of other regulations demanding higher levels of security.

Technology vendor Ounce Labs has been advising organisations since 2002 on how to work with outsourcers to ensure that code is developed with security in mind and that the appropriate testing tools are used. It has worked with lawyers to develop suitable contracts for organisations to use, which it makes available on its website. According to Ounce Labs, the following are some best practices that organisations should follow when outsourcing software code development:

* Define upfront what is meant by security, including the security environment in which the application is to be used and what other resources could be exposed by a security vulnerability, and include the definition in the contract put in place
* Validate the security mechanisms to be used upfront and set requirements for their use
* Ensure that the third party is using software coding best practices and that they are documented and validated
* Demand proof of the level of training, skills and security awareness among the third party's development staff
* Ensure that expectations are laid out in the service-level agreement, including milestones and deliverables
* Define acceptance criteria for the security of applications delivered
* Provide a list of the most critical flaws that are deemed unacceptable
* Mandate measures for certifying that code is secure, including the use of automated testing tools
* Define steps required in the audit process and ensure that all code is audited and certified before payment is made
* Ensure that the right to audit code and perform security checks is written into the contract
* Define processes for remediation by the third party and ensure that responsibility for bearing the costs of remediation or legal liability, even after the application has been delivered, are written into the contract
* Specify in the contract that security checks and monitoring will be continued throughout the lifecycle of that application and lay out the third party's responsibility for fixing flaws found at a later date.

Such practices will ensure that the most secure code possible is delivered, leaving organisations less vulnerable to security incidents. But, given the size of most software applications and the fact that it is almost impossible to write prefect code, however small the program, organisations that follow the practices outlined above will also have covered their backs be ensuring that the responsibility for fixing vulnerabilities lies firmly in the hands of the outsourcer—something that is essential since flaws discovered once an application is in use are the most expensive to fix.

Wednesday, April 23, 2008

A crash in TCS stock underlines end of Indian indigenous IT outsourcing superpower

Source : Click

Indian companies have come a long way it providing IT outsourcing services. The golden era of IT outsourcing empire is coming to an end for Indian companies. The global clients are bow demanding quality products and services not just “programmer bodies”.

The management of Indian IT companies hardly find any difference trading spices versus software bodies. They hire cheap Indian cyber labor and sell them for a hefty hourly profit to American and European companies.

It is an easy business model. The inefficient American and European corporate management are eager to cut cost by any means to hide their inability to expand revenue and total incompetence in creating innovation. The cost cutting is easily served hiring TCS, Satyam, Wipro and Infosys type companies to perform the same tasks for pennies on the dollar.

The easy life for the Indian body shoppers like TCS, Satyam, Wipro and Infosys type companies is coming to an end. The western companies has built their own shops in Bangalore, Hyderabad, Mumbai and so. They are also demanding cut in outsourcing costs. In addition, talented Indian programmers are leaving the Indian companies in seek of better opportunities with Microsoft, IBM and so on.

TCS slumped 10.6% to Rs 887. Wipro and Satyam plunged 5% each to Rs 431 and Rs 436, respectively. Infosys shed 2.8% at Rs 1,599. At the same time Sensex touched a high of 16,854 - up 256 points from the day's low. The Sensex finally ended with a gain of 45 points at 16,784.

It signifies end of Indian indigenous IT outsourcing superpower. It is the result of India’s failure in creating world-class software products instead of just supply programming bodies.

Tuesday, April 22, 2008

Design gets hot in outsourcing game

Source : Click

If you think that outsourcing in India was just synonymous with accounting, call centres and financial services, here is some news. The latest to join the outsourcing wave in the country is design support services, in which architecture and building design is supplied to remote customers as a service.

Growing at 30 per cent per annum, this could make India the design centre of the world, say its pioneers, who put high-skilled design workers to work with advanced software.

The market size for the sector in the US is $225 billion, and with India just beginning to make a mark, its growth story appears to be on solid ground, say industry officials.

In a vote of confidence in the business, Satellier, a Chicago-based company with a strong presence in India, on Wednesday announced that it had received $10 million in funding from one of Silicon Valley's most respected venture capital funds, Sequoia Capital.

Satellier, runs its Indian studio facilities at New Delhi and Kolkata with 400 design professionals to execute technical drawings for its projects across the world. Outside India, the company has only 20 to 25 employees, which it expects will rise to 70 in the coming year.

Michael Jansen, chairman and CEO, Satellier, said the funding will be used for mergers and acquisitions involving companies engaged in related work (mostly in China) as well as towards organisational growth which includes plans to open three new offices in the US, one in the UK and delivery centers in India and around the world over the next year.

"However, the primary focus will be developing the Building Information Modeling (BIM) service solutions for the global as well as Indian architecture, engineering and construction (AEC) industry," he told reporters.

BIM software simulates construction and operations and is particularly geared towards helping developers, hoteliers and multinationals in their real estate projects in India.

"It will help reduce construction time, detect complexities between disciplines as well as enable developers to understand energy components thus reducing costs. The cost of the module will depend upon the scale of the project, the location and its nature," Jansen said.

Monday, April 21, 2008

It's time for market research outsourcing

Source : Click

With businesses increasingly becoming consumer-led, the new buzz in town goes by a different abbreviation: MRO or market research outsourcing. The global outsourcing opportunity for MRO is $4 billion with India accounting for $150 million of this pie.

MRO, which concerns itself with understanding customer behaviour, is catching up. The segment for marketing and customer informatics is growing rapidly, says Anantha Krishnan, chairman and CEO, Dexterity. Till recently, Dexterity was focussing on research and analytics space but has now turned its attention to marketing and customer informatics.

Similarly, the Mumbai-based Fractal Analytics is getting into the thick of things. Today, there is a tremendous explosion of data, and companies are keen to know why a customer patronises one brand over another, says Srikanth Velamakanni, CEO, Fractal.

Says Sunil Mirani, CEO of Ugam Solutions, Everyone wants to get a share of customer's wallet. Price-service differential across categories is minimal. So, it becomes imperative to understand what drives the consumers towards a particular product.

For example, the $12-million Fractal provides known value item (KVI) analysis wherein it identifies those key items for retailers on which customers expect good bargains. "We identify those items and develop a pricing strategy that it is better than its competition. In some cases, those items can end up being price leaders in their respective categories," says Velamakanni.

MRO companies in India are targeting domains like retail, telecom, BFSI (banking, financial, services and insurance) and media and entertainment. Some like Dexterity and Ugam also closely work with global market research organisations helping them conduct surveys through Web and phone and work with them in collating and mining data.

Players are migrating to high-end analytics, modelling of marketing mix (analytic solutions deployed to improve brand performance, optimise marketing spends and enhance sales volumes) and risk analytics (solutions that are geared towards controlling default and bad debts as well as improving collections). India has a large pool of mathematical talent which can be leveraged easily to do the high-end work, says Velamakanni.

Wednesday, April 16, 2008

Outsourcing: The Path to Business Growth

Source : Click

For small businesses trying to grow as painlessly as possible, outsourcing non-revenue-producing business functions makes a lot of sense.

That's the conclusion of a new report from Achilles Group titled "2008 Small Business Outsourcing Best Practices Guide." The report found that most businesses with 25 to 250 employees outsource at least two business functions. The most outsourced processes are payroll, accounting, ERP (enterprise resource planning), point-of-sale, CRM (customer relationship management), SFA (sales force automation) and human resources management, recruiting, benefits administration, performance and compensation management, and time and labor management.

According to the report, companies with fewer than 50 employees tend to outsource payroll, benefits, recruiting, bookkeeping, IT desktop and e-mail, Web site and online marketing, financial engineering, IT network administration, and marketing and lead generation. Companies with up to 250 employees might add HR director outsourcing and talent management, while companies with up to 1,000 employees might further add Human Resource Information System, CIO/IT strategy and compensation planning.

Unlike larger companies, which outsource to save money, small businesses turn to outsourcing so they can focus their limited resources on core competencies. According to the report, the top reasons small businesses outsource is to free up executive time and enable on-demand access to specialist expertise not available internally. Other reasons include reducing costs, gaining access to best practices processes and best-of-breed technology and tools, gaining the ability to scale more efficiently, and improving performance.

Another related option is shared services, run by a third party, in which a business consolidates common corporate administrative systems and functions with those of other organizations. Like outsourcing, the shared services approach offers specialist expertise and cost savings, along with better compliance and access to best-in-class technologies and processes. According to Achilles Group's research, more than 60 percent of companies taking the shared services approach experience improved customer satisfaction, staff productivity and overall quality. They also reduce costs by 20 to 80 percent.

The most successful small businesses pick and choose which functions to outsource or commit to shared services, the report said. As an example, some organizations outsource HR functions for a limited time, while they build the processes and infrastructure they will need to bring the process back in-house in the future.

Because businesses often use outsourcing to help themselves grow, it makes sense that once that growth has been achieved, some companies choose to bring some processes back in-house. Doing so can help improve control once the organization has stopped growing and has reached maturity, the report said.

The combination of insourcing and outsourcing—and the ability to move back and forth between the two as necessary—can help small businesses achieve the goal of growing stronger and more self-sufficient, while remaining flexible and correcting or avoiding common mistakes, the report concluded.

Tuesday, April 15, 2008

Is Outsourcing a Security Risk?

Source : Click

The world has a new culprit to blame for the rising tide of software vulnerabilities -- code outsourcing.

The trend to outsource the coding of applications is now a major contributor to making business software more vulnerable, a survey-cum-report has claimed.

According to analyst group Quocirca, which surveyed 250 IT directors and executives in the U.S., the U.K. and Germany for Fortify Software, ninety percent of the organizations that admitted to having been 'hacked' had outsourced more than 40 percent of their applications to third parties.

But the rush to benefit from the speed, convenience and lower cost of outsourced applications was leaving security as an afterthought in an alarming number of cases. Sixty percent of respondents reported not mandating security from scratch, while 20 percent of those surveyed in the U.K. failed to accommodate security at all in the outsourced applications.

So what's behind this risky attitude? The report mainly blames the way companies have become enamored with relatively poorly-understood Web 2.0 technologies, and the parallel rush to use service-oriented architectures (SOA) to open up software to much-loved partners.

As to outsourcing itself, according to Fortify, the problem here is that the client company has no visibility on the coding behavior of the company carrying out the work, no matter how good the relationship appears to be.

As in other areas of technology, U.S. organizations have been at the forefront of the software outsourcing movement, with 61 percent of those surveyed reporting that they outsourced more than 40 percent of their programming. Germany, by contrast was some way behind this percentage, with the U.K. somewhere between the two extremes, thanks to its financial services bias. The U.K.'s uptake of Web 2.0 is also closer to the U.S.' than Germany's, which is to say that it has been significant.

"These survey results help explain the recent, sudden rise in data breaches and should serve as a wake-up call to any executive whose company sits on a pile of mission-critical application code," said Fortify board member and former White House cybersecurity advisor Howard Schmidt.

At least companies can attempt to protect themselves against the specific threat posed by lazy programming using backdoor detection systems, a growing category of software. As ever companies find themselves solving software security problems by buying yet more software.

Friday, April 11, 2008

Europe wary of outsourcing to India

Source : Click

While Indian ITeS companies may be looking at Europe as a big market waiting to be tapped, are European firms as bullish about outsourcing work to India? May be not. While they may be interested in sending work to India, but are not confident to do so, says a new report by Forrester, Research, an independent technology and market research company.

Their latest report ‘Offshoring Strategies For Continental European Firms’, tracks the outlook of European firms to outsourcing work. It says, Indian offshore providers looking at expanding business in Europe must first change their risk-averse attitude and invest in building a sizable local capability to win deals there.

"Most pan-European firms are still not fully convinced about the offshore model’s suitability or benefits for their business, while offshore providers are yet to have enough capability in the continent," says Sudin Apte, senior analyst at Forrest. In fact, several European firms did send large teams to India in the last six months to test the offshore waters here, "However, these initiatives lacked a solid vision and strategy for the type of work to be sent and at what pace," Apte explains.

However, the good thing is these firms are becoming more interested in sending work as some Indian service providers are working furiously to improve their European capabilities. The report reveals that both Indian and European offshore providers have problems helping their European clients go offshore. While Indian providers still struggle to build up meaningful local presence, their risk-averse approach means that they won’t make even smaller local staff acquisitions unless they see a direct and immediate increase in their European sales books. "Clients we spoke to complain that the Indian firms they’ve worked with often fail to demonstrate commitment to the service levels promised," Apte says.

European firms on the other hand followed stringent and demanding procurement approach to offshoring and made unreasonable language fluency expectations from vendors.

Thursday, April 10, 2008

Firms overlook security when outsourcing software development

Source : Click

Frequent hacking victims all outsource a portion of their programming, says research

Companies that say they are frequently hacked all outsource part of their software programming, and 90 per cent of them outsource at least 40 per cent, according to a survey by analyst Quocirca.

Sixty per cent of companies that outsource their coding said they do do not mandate built-in security for their applications.

And a further 20 per cent of UK firms said they do not even consider security when developing applications.

Built-in security is not being taken seriously enough, said Fran Howarth, principal analyst at Quocirca and author of the report.

“The findings of this report indicate that not enough is being done by organisations to build security into the applications on which their businesses rely," said Howarth.

"Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organisations to thoroughly test all code generated for applications — without which they could be playing into the hands of hackers.”

Half of firms that consider software development to be business critical or important outsource more than 40 per cent of their programming needs.

Fifty-five per cent of public sector organisations outsource more than 40 per cent of their coding and 64 per cent say development is only moderately important.

Utility companies place the greatest importance on software development, with 90 per cent citing it as important or business critical. Only seven per cent of utilities outsource more than eight percent of code development.

The survey questioned 250 senior executives and IT directors at medium to large firms in the UK, US and Germany.

Wednesday, April 09, 2008

US Enterprise Business Outsourcing and 3rd Party Services Expenditures Contains The Latest Vendor Based Research

Source : Click

Research and Markets has announced the addition of “US Enterprise Business Outsourcing & 3rd Party Services Expenditures, 2007-2012” to their offering.

This Excel-based Data-rich Deliverable (DRD) that is part of the Business Managed & Hosting Services and Enterprise Business subscription includes market intelligence on business IT: Outsourcing & 3rd Party services expenditures for Enterprise Business. Managed services include expenditures on network-based services that provide a network, application or computing capability to a client and are delivered on an on-going basis by a 3rd party for a recurring fee. Compass Intelligence defines IT outsourcing as expenditures on services rendered by 3rd parties, including IT outsourcing companies. Enterprise Business (Over 1000 employees). The Expert Guide for this deliverable is Kneko Burney. Forecasts are from 2007 through 2012 and include annual growth rate, as well as percentage of total market.

Sources: Our segment and market forecasts, which include business expenditures, market demographics, and usage and adoption statistics, are built using multiple sources, including our proprietary research.

These sources include, but are not limited to:

-Secondary research

-Government data and statistics (e.g. department of commerce, federal communication commission, bureau of labour statistics and us census bureau

-Primary research

-Vendor-based research

-In-depth interviews with key decision-makers (where relevant)

We select data sources to provide greatest degree of perspective on each market or segment, in addition to the highest level of data accuracy, stability, and consistency over time.

Tuesday, April 08, 2008

Outsourcing increases risk

Source : Click

Study shows companies neglect security

Leading application security vendor Fortify Software announced the findings of a new report released by European information technology analysis group, Quocirca, entitled, Why Application Security is Critical.

Today's businesses are increasingly relying on software development to maintain a competitive advantage, and this new report reveals that the widespread outsourcing of code development is putting these businesses at risk. As organizations increasingly look to outsource application development, they are leaving themselves severely exposed to data predators by failing to mandate security in the development of those critical applications.

According to the report, 50 percent of organizations stating that software code development is business critical outsource almost half of their code development needs. And, according to the report, more than 60 percent of companies don't mandate security when outsourcing development.

"The findings of this report indicate that not enough is being done by organizations to build security into the applications on which their businesses rely," said QuoCirca Analyst Fran Howarth, author of the report. "Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organizations to thoroughly test all code generated for applications -- without which they could be playing into the hands of hackers."

Recent, highly publicized data breaches at companies such as TS Ameritrade, TJX and Hannaford Brothers illustrate how software applications can often contain exploitable vulnerabilities. According to the Quocirca report, all organizations who admitted to being frequently hacked outsource at least some of their coding practice, with 90 percent of companies outsourcing almost half of their application development.

"The processes and systems that run companies today are built in software applications that were designed to be open, which makes them inherently insecure," said Roger Thornton, Founder and Chief Technology Officer of Fortify. "Through outsourcing, customer self-service offerings and the like, enterprises invite people into their network in order to do business better and quicker, but they leave themselves and their corporate assets vulnerable to attack and exploitation. Without assuring the security of the software applications that run your business, you expose your enterprise to unnecessary and costly risk."

In the study, financial services companies are identified as the most likely to outsource their code development needs, with 72 percent reporting that they outsource almost half of their development practices. 84 percent of these organizations report that code development is business critical. Public sector organizations are also big outsourcers, with 55 percent outsourcing over 40 percent of code development.

China marches into outsourcing

Source : Click

It's mustering a serious challenge to India, but language and culture could hold it back.

In the foothills of Yuelu Mountain here, a young Mao Tse-tung found inspiration in nature for his political aspirations. Today, Communist Party officials have a different vision for this area: a valley of global outsourcing firms.

One of them, Beijing-based Chinasoft International Ltd., is recruiting hundreds of workers to process medical bills and health insurance claims. Its target customers: U.S. doctors.

Chinasoft is launching the venture with a Tennessee firm, Premier BPO Inc., which has similar operations in India and Pakistan. Chen Yuhong, Chinasoft's managing director, thinks it's only a matter of time before China makes big gains against India -- which now leads the world in information technology outsourcing.

"They're seriously concerned about our challenge," said the 44-year-old Chen, who has a PhD in engineering from Beijing Institute of Technology and speaks fluent English.

Most analysts reckon it'll be perhaps a decade before China catches up. India's IT outsourcing revenue, estimated at $18 billion in 2007, is about six times the size of China's. The gap figures to be even bigger for business-process outsourcing, such as medical billing and back-office work. With its history as a British colony, India has workers with strong English skills and familiarity with Western culture. That gives companies there a big edge when bidding for jobs that require reading reports and talking to Americans.

But China's exportsof IT services are growing at roughly twice the rate of India's. Consulting firm Analysys International says Chinese software offshoring sales jumped 45% in the fourth quarter of 2007, to about $600 million. Although much of that was for clients in Japan and other Asian countries, China is making a push to extend its reach.

In 2006, the central government launched the "Thousand, Hundred, Ten" project, aimed at cultivating 1,000 Chinese outsourcing companies that would cater to 100 international clients. Beijing wants to situate them in at least 10 cities. Some are familiar locales -- Shanghai, Beijing and Shenzhen. But success or failure may come down to smaller cities largely unknown abroad.

Wages, plus land and housing prices, have soared in China's top-tier cities, prompting many foreign manufacturers to relocate. Officials hope that places such as Wuhan, Jinan and Changsha will be lower-cost alternatives for the service industry as well.

Junior software engineers in those cities can be hired for $170 to $250 a month -- a third of the going rates in Beijing or Shanghai, said Tian Yuqi, human resources manager at VanceInfo Technologies Inc., a Beijing-based IT outsourcing firm listed on the New York Stock Exchange. Those wages also are a lot lower than in India's outsourcing hubs such as Bangalore and New Delhi, where salaries are spiraling up.

"China enjoys the cost advantage, but India enjoys the market advantage," Tian said.

China's government wants both -- and is helping with incentives. Firms setting up in designated outsourcing zones can enjoy a two-year waiver of taxes. They can get a subsidy of about $700 per employee for training and hiring. Local governments are chipping in with sweet deals for rent and land, as well as cash for certain sectors. Hunan province, for example, has set aside about $56 million to bolster the local animation industry, which is particularly strong in Changsha.

"They're going after it with determination," said Gaurav Gupta, country head in India for Everest Group, a consulting and research firm based in Britain. Gupta and others at Everest track 125 outsourcing cities in the world, including 10 in China and more than 30 in India. Yet for all their potential, he says, Chinese outsourcing companies are generally serving domestic businesses -- not offshore customers, as India's firms tend to do.

Chinasoft's Chen, though, sees a way to leverage China's large domestic market into offshore contracts. As more Chinese businesses and public agencies contract out their IT, back-office and call-center operations, the firms that provide those services could offer connections to Western firms to help them break into the Chinese market.

"We tell them, 'You give us business in [your country], and we'll give you the market here,' " Chen said. Chinasoft also is considering buying a stake in companies like Premier BPO, to help drive more American customers to its fledgling outsourcing operations in China. Though Chinasoft has branch offices around the world, including San Francisco and Seattle, its IT outsourcing revenue was only about $9 million in last year's third quarter, the latest period for which results are available.

Mark Briggs, chairman of privately held Premier BPO, declined to comment on the specifics of the deal with Chinasoft. He agreed that familiarity with English was a major plus for India; something as simple as commas and semicolons can be stumbling blocks for Chinese workers coding data into computers, he said. But training can overcome such language and cultural gaps, and Briggs predicted that the same assets that propelled China's manufacturing industry -- great infrastructure and labor power -- would help it become tops in outsourcing.

"I personally believe China will overtake the rest of the world in BPO," or business-process outsourcing, he said.

Changsha may be well suited to play a key role. Many Chinese regard Hunan as a center of culture and creative talent. The wildly popular television show "Super Girl," akin to "American Idol," was produced here. Changsha accounts for much of the nation's cartoon design and TV programming.

Changsha natives claim an outsize share of placements at top IT companies, managers say. The city boasts three universities rated highly for industrial design and software engineering. China's first supercomputer was developed at Changsha's National University of Defense Technology.

"They have a lot of talented people," said Xuedong Huang, a general manager at Microsoft Corp.'s communications innovation center in Redmond, Wash. Like most major technology companies, Microsoft's investment and work in China have been focused in Beijing and Shanghai. For four years, it has run a small software outsourcing project in Changsha.

"I've been very impressed with the quality, even by Microsoft standards," said Huang, himself a product of Hunan University in Changsha. What's unclear, he says, is whether an inland city as "small" as Changsha, population 6 million, can become a major player in outsourcing.

Changsha has yet to cultivate a star company in IT or business-process outsourcing. One reason is that Changsha's homegrown talent is lured by glitzier, cosmopolitan cities on the coast. Seventy percent of engineering graduates leave Hunan, said Lin Yaping, vice dean of Hunan University's software school. To keep them, "what we need is a dragon head," he said, referring to an internationally famous firm.

About 300 firms have set up shop in Changsha's software and outsourcing zone at the foot of Yuelu Mountain. Some have partnerships with big names like IBM and Google, but most are tiny operations. One of the most promising locally bred IT companies, Powerise International Software Co., faltered and was bought by Chinasoft in 2006.

Today, Chinasoft's 160 staff members in Changsha do IT outsourcing for mainly Japanese companies, but most of it is coding work and software testing, not the high-end engineering and designing that Changsha craves.

VanceInfo Technologies' experience in Changsha isn't encouraging.

The Beijing firm opened a branch here in 2003. Tian said it took him nine months to recruit 60 engineers. They had little trouble doing the work, including developing, testing and localizing software and handling electronic transfers of loans for major banks.

But Tian said his staff in Changsha, lacking strong English skills, struggled in conference calls with customers. Nor were VanceInfo's clients entirely comfortable dealing in a small city unfamiliar to them, he said, and the firm shut the office in 2005.

"Compared to the Japanese, major clients in Europe and North America emphasized much more the city's characteristics," Tian said. "They preferred Shanghai. Our clients weren't supporting our establishing centers in cities like Changsha."

Monday, April 07, 2008

Indian IT company plans big in Michigan

Source : Click

A USD3.5 billion Indian IT, engineering and businessprocess outsourcing company is eyeing further expansion in Michigan, adding to a pair of offices in Troy and further growing the states economic ties to the Asian nation.
Wipro Ltd is entering the third month of its new lease in the National City Center building on West Big Beaver in Troy, where it is leasing 10,596 square feet for a software development center. The new office, which the company said is still in the process of being built out, is down the street from Quantech Global Services LLC, an automotive engineering company Wipro acquired in 2006.

The company has been having ongoing discussions with state officials regarding future expansion opportunities, said Sridhar Ramasubbu, CFOAmericas. Ramasubbu said he planned to visit Michigan in early April to meet with officials from Gov. Jennifer Granholms administration. A spokeswoman for the Michigan Economic Development Corp. said officials plan to meet with Wipro the week of April 7.

We are planning to expand our presence in Michigan, Ramasubbu said by phone from the companys North American headquarters in East Brunswick, N.J.

The Michigan center will be part of a global recruiting strategy that leverages local talent for Wipros outsourced engineering services.

The Troy office is the first step towards bigger plans for Michigan, Ramasubbu said. The companys software development centers, he said, provide outsourced engineering services, applications management and business process management. The new Troy office ultimately could house 100 employees.

This center will look at supporting the engineering services, but could be expanded to offer the other services as well, Ramasubbu said.

The moves come as Bangalore, India based Wipro experiences significant growth. Including Quantech, which also has a small office in Okemos, the company acquired six companies and established two joint ventures during its 2006 07 fiscal year. Wipro, which has nearly 90,000 employees, also operates a development center in Windsor, Ontario.

The new Troy office also adds to a growing list of Indian companies operating in Michigan or with Michigan based companies. Incat, a subsidiary of industrial conglomerate Tata Group, operates a facility Novi, while Tata Consultancy Services announced March 31 it will provide global engineering services to Troybased ArvinMeritor Inc.

Wipro Technologies, the companys IT division, last month announced an alliance with Canton Townshipbased computing vendor Scalable Informatics.

Oakland County officials have twice met with Wipro executives at the companys Bangalore headquarters, including during a trip earlier this year organized by the Detroit Regional Chamber. Maureen Krauss, the countys deputy economic development director, said officials were impressed by the culture of the company and by its commitment to training employees and expanding worldwide.

I think their experience of Quantech has given them a positive experience of our workforce and what we have to offer, Krauss said.

Pamela Valentik, business developer for the city of Troy, said city officials met with Wipro at the end of December regarding the new recruiting office. She said there was discussion of doing aerospace work for Boeing Co., which Ramasubbu would not confirm, citing nondisclosure agreements the company signs with customers.They are starting to make more of a presence in the United States as theyre looking to pick up defense work, where that work has to stay in the country, Valentik said.

While the company acquired Quantech for its competencies in automotive R and D, Wipro also provides engineering services for semiconductor, avionics, financial services and manufacturing industries, Ramasubbu said.

We do work across verticals, across technologies and on the applications side, he said. We have a very wide portfolio.

The scale of its Michigan expansion would depend on Wipros success attracting engineering customers to its new Detroitarea office, but could grow to as many as 500 employees, Ramasubbu said.

Friday, April 04, 2008

Microsoft Set to Announce Next-Gen Security Software

Source : Click

The world's largest security conference will kick off next week in San Francisco with the public unveiling of Microsoft's next-generation of security software, code-named Stirling.

Over the past few months, Microsoft has quietly shown the software to a select group of users, but sources familiar with the company's plans said that it will release a beta version of the code to users during the RSA Conference next Tuesday. Microsoft will allow attendees to "see new technologies," including Stirling and the company's next-generation Windows Server 2008 software, according to the conference agenda.

Microsoft's Forefront product line has been playing with more established security products over the past few years, but with Stirling the company will finally be able to offer administrators a single product that manages all of its security offerings.

"Stirling will touch many different areas of network protection, server protection and client protection," said Ronald Beekelaar, an independent IT consultant based in Amsterdam, who is familiar with the Forefront products. "So Microsoft has to coordinate that between different products. But that also means that beta testers should really look at Stirling at all those levels, and not just test the client protection, or only the firewall protection," he wrote in an e-mail interview.

Stirling's management and reporting capabilities, and its tight integration with Microsoft's other products will give enterprise users new tools for tracking malware and staying on top of the "health" of the computers on their network, he added.

After running the product through beta testing phase, Microsoft expects to ship Stirling by the end of June 2009.

Although Microsoft's security announcements are always closely watched, it will not be the only company making news at the conference. IBM plans to introduce new security projects, software and services products, and storage vendor EMC is expected to shed some more light on how it plans to tie together recent acquisitions such as Tablus, Network Intelligence and Documentum.

"EMC is determined to show its value in the information lifecycle," said Nick Selby, research director with the 451 Group, an industry analyst firm.

Symantec CEO John Thompson will keynote at the show Tuesday, the same day his company is set to release its semi-annual Internet Security Threat Report.

Hard drive vendor Seagate Technology will provide an update on the data center hard-drive encryption products it is developing in conjunction with IBM and storage component maker LSI. The companies have been working since last year to bring Seagate's Full Disk Encryption (FDE) technology to enterprise-class storage systems.

Show attendees who find the vendor pitches a bit much can walk down Howard Street at lunchtime Wednesday to catch open-source security vendor Untangle's DeepThroat Fight Club, which will pit rival Web filtering products against each other to see how well they do at blocking pornographic Web sites. The gloves come off at 12:15 at the Thirsty Bear Restaurant and Brewery.

Although RSA got its start as a small-scale conference for cryptographers, it's now the largest security event in the world, with an expanding agenda to match.

For the first time ever, the show will have talks from security researchers, who have traditionally stayed away from RSA in favor of the Black Hat conference, which is held each August in Las Vegas. In all, there will be more than 220 sessions at RSA this year, covering tracks such as legal issues, technical features, and, of course, cryptography.

"It obviously has grown in terms of the number of constituencies that it tries to satisfy," said Tim Mather, chief security strategist with RSA Conferences.

Thursday, April 03, 2008

Zensar targets to be among top three outsourcing vendors in SA, UAE

Source : Click

Software company Zensar Technologies Ltd today said it has secured contracts worth over five million dollars in West Asia and South Africa (SA) in the first three months of 2008 and targets to be among top three outsourcing vendors in the region.

''The company is now targetting over ten per cent of its total revenues from these fast growing segment of the market. The emerging markets have been maturing as outsourcing destinations in addition to the mainstay territories of the US and the UK,'' company said in a statement.

The company eyes to be among the top three outsourcing vendors in South Africa and the UAE by the end of this decade, company Global CEO Ganesh Natarajan said.

''Our focus on Insurance and Retail has resulted in new wins and Increasing customer confidence in our services,'' he added

Wednesday, April 02, 2008

Chinese Firm Recognized by IAOP for Excellence in Offshore Software Outsourcing

Source : Click

China's ODC (Offshore Development Center) Experts, has been named to The Global Outsourcing 100 list for the third consecutive year. The list is compiled by the International Association of Outsourcing Professionals (IAOP) and was made public at the 2008 Outsourcing World Summit in Orlando, Florida.

Bleum CEO and founder Eric Rongley commented, "Being selected again as a rising star by IAOP is a great honor and validates Bleum's excellence in providing ODC services to Global customers from our development centers in China. Bleum has pioneered an operational model designed to achieve levels of customer satisfaction rivaling the best firms in India by providing the excellence in execution and operational transparency that customers in the West demand."

To produce the Global Outsourcing 100, IAOP has developed a rigorous selection process ranking vendors on four key criteria: size and growth, management capabilities, relevant certifications, and customer satisfaction.

High levels of customer satisfaction are achieved by Bleum's focus on cultural compatibility. This starts with transparency in managing a customer's ODC to best align with customer needs and prevent the surprises and missed commitments that typify the outsourcing industry. More importantly, Bleum has instituted an English-Only work environment that enables teams to improve their communication abilities quickly through immersion. By putting the customer's language as a top priority in the company Bleum ODC's are able to deliver an ease of collaboration previously thought unattainable in China.

About IAOP

The International Association of Outsourcing Professionals (IAOP), with 40,000 corporate, professional, and associate members worldwide, is leading the effort to transform the world of business through outsourcing. Its client side members are, on average, responsible for $60 million per year of outsourcing spending with some overseeing outsourcing programs in the billions of dollars. Through professional and ethical standards, the Certified Outsourcing Professional (COP) Program, educational programs including The Outsourcing World Summit®, and recognitions such as The Outsourcing Hall of Fame and The Global Outsourcing 100, IAOP is advancing one of the 21st century's most important new management fields - outsourcing. To learn more, visit http://www.outsourcingprofessional.org


About The Global Outsourcing 100


The Global Outsourcing 100, produced annually by the International Association of Outsourcing Professionals (IAOP), is devoted to featuring the best of today's leading outsourcing service providers and tomorrow's rising stars.

Along with its publication by IAOP, the list appears each year in FORTUNE® magazine in the special advertising section produced by IAOP. Companies must demonstrate excellence in categories such as size and growth, customer experience, depth and breadth of competencies, and management capabilities. Because of the rigorous application and judging process employed, The Global Outsourcing 100 defines the standard for excellence in outsourcing service delivery.

About Bleum:

Bleum is the leading offshore software outsourcing provider based in China focused on building ODC's (Offshore Development Centers) for customers in the West. ODC's are large retained teams dedicated to a single client. When combined with Bleum's total quality management and culture, Bleum ODC's deliver superior levels of quality and productivity with increasing ease of use over time. Bleum offers three kinds of ODC's to suit our customers' needs. Stealth ODC's provide the highest levels of security and confidentiality available in China and employ Bleum's ISO 27001 processes. Branded ODC's enable customers to combine their offshore initiatives with their China market entry strategies and turn a cost center into a profit center. Mini ODC's let small and medium sized enterprise enjoy the benefits of an ODC while maintaining the agility to scale teams up and down according to their need.

Tuesday, April 01, 2008

Pitching business software assurance

Source : Click

In an environment where anti-virus providers are openly admitting that their products cannot stop many attacks and in which customers are under more pressure than ever before to keep their sensitive data protected, Fortify is touting a new process dubbed business software assurance that it maintains will change the manner in which organizations defend themselves from external threats.


While many companies are using products like Fortify's software vulnerability scanning tools to block the channels most frequently being used by outside attackers, such processes will soon evolve from sporadic exercises into a continuous routine aimed at staving off any and all applications-level threats, company officials said.

From the time that applications are written until they are up-and-running in production, companies will use a plethora of technologies, from Fortify's static code analysis scanners to black box testing tools and penetration testing systems, to secure their code, officials with the vendor maintain.

In that sense, applications security is maturing from a mere testing market into a larger, more continuous process, said Roger Thornton, chief technology officer at Fortify.

"When people think about applications security today, they think of these various types of tests, but what they are realizing today is that they need to be doing this work in a risk management framework, in a more repeatable manner," Thornton said. "Companies cannot keep addressing this process from the standpoint of looking at individual point products -- they need to approach it from the perspective of business software assurance."

Leery of having the idea pigeonholed as mere vendor marketing, Thornton said that an ecosystem of providers will drive business software assurance, or BSA, including companies whose tools are used by developers as software code is being written, such as its own, through to the so-called black box testing technologies used to test live applications.

Fortify sells a bundle of static code analysis tools and more "dynamic" scanning technologies for use by software quality assurance testers, along with some real-time applications monitoring capabilities for use after programs go live.

With attacks having moved to the applications-level in dramatic fashion over the last several years, and new compliance regulations holding companies more responsible for vulnerabilities in their systems, the need to adopt risk management throughout the development lifecycle is rapidly being brought into focus, Thornton contends.

"If you have the right risk management approach within the development process, you can go a lot further toward making applications impervious toward attacks," he said. "We're in the nascent stages of this whole idea of software assurance, but we believe that this is how customers, developers, and government agencies are going to begin looking at this problem, even as soon as over the next six months."

As part of the BSA process, organizations will require that business partners and even their customers are doing their own due diligence in keeping vulnerabilities out of their applications, according to Fortify's espoused vision.

It's no coincidence that the company announced its backing of the BSA concept simultaneous to the release of its new Fortify 360 product line, which is more expansive than the company's previous products in terms of its reach across various stages of applications development.

However, the product was tailored to reflect emerging demands from the firm's customers, some of whom are already mature enough in their development operations to embrace the BSA process, Fortify executives said.

Officials with at least one of the company's customers, online stock trading provider Scottrade, said that they are moving in the direction of BSA, even if they have yet to adopt that nomenclature for their work.

Scottrade and its rivals, including eTrade and other online stock sites, have been among those businesses who have publicly announced significant financial write-offs driven by applications-level attacks on their trading systems.

The key idea is approaching applications security as a process, rather than on a more piecemeal basis, as has been common practice for many firms up until now, said Grant Bourzikas, director of information security at Scottrade.

"To really address the security problem, you have to fix your code; intrusion prevention, Web applications firewalls, and a lot of other security technologies don't address the root cause, which is poor code left vulnerable that forces people to write signatures to protect at the network the level," Bourzikas said. "Of course we use all those products, and we have a traditional layered security approach, but by better securing our code and having this two-pronged effect, we can protect ourselves and our customers a lot better."

Whether or not the market will wrap its arms around the phrase business software assurance or merely view the process as part of a common SDLC (secure development lifecycle) program, the notion of continuous code and applications scanning is one that will continue to catch on with more companies, the executive said.

Yet, as important as any technology is the cultural change that must be affected among developers if the strategy is to succeed, said Bourzikas.

"Tools like this can help with SDLC, but you also have to consider the awareness issue," he said. "People have to better understand all the risks, because no one goes out and tries to write code that is insecure by default, they've been told to write something that works and they meet those requirements. We're hoping to teach our developers on what they need to protect, so in that sense, education is every bit as important."