By Vijendra Kumar H on Jun 26, 2018 6:12:52 AM
Presale discussions with prospective customers can be very interesting!
Initial discussions would focus on one of their products to be built or supported. But, when the prospect realizes that he/she is talking to a solution architect, who is technically sound, and a good problem solver, the discussions would take a detour. It will focus on their issues with other products and we end up winning an entirely different project from them!
To explain further, most of the times, the discussions would focus on the issues related to their existing vendor. They will complain about their current vendor and how their product has suffered because of the poor management by the vendor.
In several such cases, when we delve further, we find that most of the companies have done their best to find a suitable vendor. However, after identifying a good vendor, they have trustingly handed over their product development work to them. They do not find out about the actual developers or conduct background checks on the developers who will be working on their projects. Big mistake I would say!
Let me share two recent, interesting presale calls:
First Presale Call:
This was with a prospective customer to discuss some clarifications for their new product RFP (Request For Proposal). However, a few minutes into the call, the discussion took a different direction. The prospect started explaining the issues related to their current website. He was worried about the fact that their website had been hacked three times in a span of four months!
Every time it was hacked, their vendor who had developed their website made few changes, charged them for the work and assured them that the website is safe. But, once again the site would be hacked and down for a few days. He was completely frustrated with the way it is going and was avoiding meeting the senior management as he did not know how to solve the problem.
The night before the call with us, the site had been hacked yet again and their hosting provider had suspended their account. They had written to him saying that unless the issue was rectified, they would keep the account in a suspended state as the hacker was inducing lot of traffic to the hosting provider.
I was curious and felt that the hacker must be very intelligent and the site must have a really complex loophole. I asked him to give us a chance to check this issue.
Since the site had already been hacked three times and this was the fourth time, I personally got involved, even though my team could have handled it. I found that the site was built using Drupal, PHP. When we dug deeper, we noticed that there was a PHP page which triggers an email based on the email id provided by users. That page was being called from another page where there was a 'Captcha'. When checked, their PHP page was actually getting Captcha image along with the Captcha text from the server and then validating the user input with Captcha text in their Java Script i.e. on the client side! After validation, their Java Script was calling another PHP page with the email id provided, which is triggering an email.
No wonder the hacker easily got hold of the PHP page which was responsible for triggering the emails. It appeared as though some junior programmer must have coded this way as no experienced programmer can actually do the Captcha validation work on client side. Unfortunately, no one had checked the code again even after repetitive hacks!
Our team took care of it easily by moving that validation logic to server side. We also ran a security check on the whole website and then fixed a few other minor issues. After that fix, it is been three and half months and no news about their website going down!
Second Presale Call
In this presale call with a HR advising company, when I mentioned about using cloud for their new product, the suggestion shocked them. The client mentioned that they were already paying a huge amount for maintaining their current cloud infrastructure for one product. They did not want to go with cloud for any of their other products because of this cost. After checking we found that they were using a private cloud for hosting their web portal and database servers. There were just three medium level servers and they were paying US$8000 per month to the private cloud service provider.
As a leading healthcare company, they needed measures to be compliant with standards such as HIPAA, HITECH and so forth. Their current vendor had suggested the private cloud vendor and they had gone with the suggestion. After understanding their security requirements, we moved their current product to Microsoft Azure without compromising any of their security requirements. Now they pay just USD 720 per month. Huge savings. Isn't it?
In both the cases, the vendors with whom they were working were very good. Customer had spent a lot of time and effort in selecting the right vendor. But after selecting the vendor, they had handed over their product development work to them.
To me it appeared that the problem was with the development team and not with the vendor.
In the first case, the development work was executed probably by someone who did not know how Captcha is meant to work. This could be how their web site became a prey to the hacker.
In the second case, after hearing security requirements, the development team/architect had suggested a private cloud (due to its popularity in security) maybe without considering other options.
Best Practices for Outsourcing Development Work
- Generally, when companies outsource their product development work, they select a good vendor and will not bother to check the development team that works on their respective products. It is a fact that vendor companies place good technical people during presale calls. However, actual development could be taken care of by a different set of people. It is, therefore, a good practice for companies to insist that their vendors place the same set of technical people who speak to them during presale calls to work on their product development.
- Companies should insist on being introduced to the development team (at least the leads/architects) and check their expertise on required technologies.
- Also it would be great to get their profiles checked on social media sites like LinkedIn, and technical forums etc.
- It is good to have a dialogue with them and make sure that they are fit the requirement. If you cannot understand the technology, get a consultant to do this work for you.
- More importantly, stay constantly in touch with the development team to make sure that the same set of people are working on the product.
- Also, if you have a requirement for cloud infrastructure services and if you are going to a vendor who has partnered with Microsoft, they will try to convince you to go with Azure cloud. It can be the same case with AWS or GCP, Armor and so forth. It is better to find a vendor and development team that knows all the technologies and recommends a suitable platform or the technology for your product.
For product companies, the product is like a baby. When something happens to a baby, we need to search for a pediatrician and not a general physician. It is important to evaluate the pediatrician. I am sure that no one will want to get their baby diagnosed by an intern even if the intern is working in a large hospital. Also, once that pediatrician is taking care of the child, it still needs the presence and the care of its parents.
Similarly, it is important to take care of your product by choosing a good vendor along with a good development team. After all, the product is your own baby and you are more responsible for its welfare than anyone else in the world, right?