Best Practices for Outsourcing Software Testing and Development

With Sashi Reddi, CEO of AppLabs Technology, a Philadelphia-based company that specializes in software testing and development with an emphasis on quality assurance.

Question: When outsourcing software quality testing, what are a few of the best practices for companies to follow?
Reddi: Three practices immediately come to mind. First of all, it is important for companies to involve their testing group from the very beginning of the software development lifecycle. Quality begins when the application specifications are written down, not after the product has been built and sent to the testing group.
Second, companies should review and agree upon how the testing process will be implemented. This includes agreeing upon a number of important details such as the test strategy, test plans, test case format, status reports, test coverage, test platforms/setups and acceptance criteria.
They should also ensure that the development team understands that the testing group is their "equal" and its input will be considered seriously. Typically, people expect the testers to find "bugs," but to get the best results from the testing group they should be allowed to review the product and/or application from multiple angles, including usability, performance, security, ease of integration and so on.

Question: What are some of the mistakes that companies commonly make when outsourcing software testing?
Reddi: The biggest mistake is that many times companies outsource both testing and development to the same vendor — thus they have a fox guarding the henhouse! These two activities need to be done by independent groups. The testing group must be able to provide independent, objective feedback on the development process and output.
One should go through the same serious evaluation process when selecting either a testing vendor or a development vendor. One should expect the testing vendor to follow documented processes, have the right lab and infrastructure and a proven track record, specifically in the testing space not simply in general IT services.

Question: AppLabs was the world's first software testing company to have been assessed at SEI CMM Level 5. What security points should be mandatory for any company entering into a partnership with a software quality-testing supplier?
Reddi: Most testing work can be performed without access to the source code of a product. So the true security threat is in the form of proprietary information being shared with competitors. This threat is most pertinent to technology companies whose survival depends entirely on their products. AppLabs is the market leader in doing work for technology companies worldwide thereby establishing ourselves as a trusted partner to our customers. We have achieved this by implementing various security standards in terms of how we protect our customers' information both from the outside world as well as from teams working for other customers of AppLabs. We were recently certified as being ISO BS7799, the leading standard for information security.
The customer should ask the vendor to disclose its security policy document. The document should cover network security, information security, disaster recovery/management plans, as well as standard things such as physical security including access to the building, server room, team separation and so on.