Home

Hello. My name is Noemi Millman, and Triopter is my web development agency. We handcraft beautiful, dynamic websites.

See what I can do for you.

Noemi Millman: Triopter: On the Pitfalls of Overseas Outsourcing

On the Pitfalls of Overseas Outsourcing

Outsourcing overseas can be tempting, and there are times when it is an appropriate approach to a web project. But it can be dangerous if you do not have the technical expertise to properly evaluate the quality of the work. Let me tell you a little story:

Recently a client came to me with a small project: a single new page on her site, password protected to keep out casual browsers and search engines, but not requiring a high degree of security.

When I’m very busy, as I am now, I occasionally subcontract to other American-based freelancers with whom I’ve worked closely and whom I trust to produce excellent work. Because this project was in a language I rarely work in, I decided the most efficient use of the client’s money would be to subcontract to someone with more experience in that language. I reached out to some contacts and was put in touch with someone who received enthusiastic recommendations.

Not realizing that this individual (who will remain nameless) actually ran an outsourcing firm, I sent him some instructions; the page was presented to me the next morning.

To someone not closely familiar with web technology, it might have looked perfect. You input the password. If it was incorrect, you received a warning and nothing happened. If it was correct, you were redirected to the actual page.

However, there were two major flaws in the implementation that suggested that the requirements — or the reasoning behind them — had not been understood:

1. Use of Javascript

The password verification was implemented entirely in Javascript — I recognized this immediately from the alert box that appeared when an incorrect password was input. The problem with this is that it is entirely client-side: i.e. performed in the user’s browser. A user could simply “view source” for the page to retrieve both the password and the URL of the destination page.

2. The destination page was not password protected

That is, if you visited the URL of the destination page without first going through the password page, there was no validation performed — it could be accessed without a password. This defeated both of the purposes of the password protection: the URL could be shared among users, and if a user were to put a link from another website to the page, it could be picked up by search engines.

I sent the project back to the subcontractor, explaining my disappointment with the use of client-side authentication. He agreed to have the flaws corrected, and it was at this point that I learned that he was outsourcing overseas.

When the “corrected” page was returned to me the next morning, the password authentication had indeed been moved server-side (meaning that a casual user could not retrieve the password or destination URL); but the two-page structure that permitted unauthenticated access to the destination page had not been corrected (the correct behavior would have been to use a “cookie” to create a “session” identifying the user, and to refuse to present the destination page if the session did not indicate that the user had entered the password).

Finally, disappointed, I decided to implement the page myself, and will not charge the client for the time spent by the subcontractor. Lesson learned: be certain in advance whether the subcontractor I’m hiring outsources. I could have saved myself some time and money if I had known this — I might have hired someone else, or at the very least would have been much more specific in my instructions (overseas developers will typically implement whatever takes the least thought to meet the instructions given, so you must give them very explicit instructions.)

The same caveats apply to anyone hiring for web development. If you are considering hiring an outsourcing company rather than an American-based agency or freelancer, be certain that you have someone in house with the technical savvy to both a) communicate very detailed instructions to the outsourcer, and b) evaluate the resulting product for technical flaws and adherence to specifications.

In the end, please consider hiring your friendly neighborhood freelancer, who will make the effort to understand the problem you are trying to solve; will be able to offer suggestions as to alternate and possibly more efficient solutions; and will consider it a point of pride to solve it correctly.

Post a Comment

Your email is never published nor shared. Required fields are marked *

Comments may be held for moderation to prevent spam: your comment may not appear immediately.