A brief exploration of the radical differences in contract software engineering quotes.

Software companies are everywhere these days. If you add in the number of freelancers on contractor sites, craigslist, or the guy your friend knows, they are like grains of sand on the beaches. And they all get the same question every day: “How much would it cost to build an app?”

This is a question that has been addressed on a thousand blog posts, mainly by frustrated engineering firms who struggle to understand how people can ask such a question. They give answers like, “How long is a piece of string?” or “How much does a house cost to build?” These examples are designed to show that the cost of something custom varies wildly based on what the specification is. This, however, is only the most surface level answer to that question. The real cost multiplier, and the hardest part to explain and quantify, is quality.

Quality of development is not simply a measure of your experience (e.g., How nice were your agency’s offices? Did they perform frequent check-ins? Did you feel good about the process? etc.). I’m talking about the actual quality of the code itself – not just the final product’s look-and-feel.

If you are paying a lot of money (relatively speaking) for a custom built application, it should be obvious that it was made with a thoughtful user experience and appropriate graphic design, while not throwing errors or leading to dead ends. Right? Unfortunately no. Even though this should be the bare minimum, getting the basics handled correctly is rare in my experience. As sad as that is, these signs of quality are something that you can shop for. You should be able to see examples of your potential agencies’ previous work or of your freelancer’s portfolio. But you need to test them in real life, as if you were a real user, before committing. Do not believe anything you see in a PowerPoint presentation.

The biggest difference in software design company prices is the quality you don’t see. These are the tougher to articulate items. What I’m talking about here is the commitment to engineering best practices and processes, the quality of the code, and the thinking behind that code.

A decent developer can build many of the same applications that a great developer can – especially your typical business software system. It might even take the two teams the same amount of time to complete the same project. And the apps might be indistinguishable when they launch. Great code, a real belief in process and best practices, and solid team management is not as apparent in the first iteration of a product, but it becomes glaringly obvious in later releases.

As a product matures, new features are added, interactions with other systems are required, and user bases grow in size. These three fundamental points are rarely considered by your average development firm or freelancer.

When you add new features to a piece of software, you will often need to change the database structure or the APIs of the original design. These can result in large scale, breaking changes; meaning updates will break previous versions of the application. This type of work often requires huge time commitments to testing the new versions, providing triggers and fail-safes for existing users, and of course writing all new code. Top class developers on the other hand design their systems from the get go to be extensible. They plan multiple API versions from day one, have contingencies in place for breaking changes at inception. They may have already built your system to be multilingual (even though it is only launching in one language) because they know it would be a huge undertaking to add on later. They will take into account accessibility standards, security, and data optimization.

The ability to interact with systems outside of the application’s native environment is another frequently overlooked engineering problem. Abstracting your APIs with middleware might take an extra day or two at the beginning of your design process, but it might save you months of work down the line when you want to change out a data provider. Documenting the process as you go along, explaining to future developers how this should work, is easy when you’re building it. It becomes a huge task of reverse engineering if you have to do it a year later.

Finally, we should talk about scalability. A well-designed system will have architectural structures in place that are designed to expand or to leverage scalable hardware systems, while balancing the long-term costs of growing. A lesser development firm will have a “cross that bridge when we come to it” attitude or will throw expensive additional monthly hardware costs at a problem that could have easily been avoided in the design process.

Conclusion

The problem with picking a software engineering firm is that they are not going to bore you with the details of their documentation process in the sales pitch. I haven’t even touched on things like automated testing of code, good relationships with distribution partners, well qualified project managers, and penetration testing as a standard practice. The problem is that almost no one is going to include these invisible quality requirements into a specification they put out for bid. Yet, these are the strongest determining factors in the long-term success of any software project. I promise.

Your options are to have a really solid technical lead on your team to evaluate the work being done or to pick a company that does go into these details in their sales pitch. You should be aware that doing things the right way is going to cost more up front, but it will save you double or even triple the time in the future if you do it the wrong way.

Previous ArticleNext Article
I help cruise lines turn their technical ideas into reality. I'm experienced in all stages of innovation and technology management. I've also been programing since I was 8 years old, and have somehow retained the ability to have normal human interactions. Occasionally I speak about how Industrial Psychology and Neurophysiology can be interrogated with IT and systems management, because I spend a lot of time thinking about the subject, as strange as that may seem.

Capture The Flag Games in Role-Playing Games

I’ve recently been running a 5e-based game with my usual role-playing nerd circle on Sunday nights. The game is called The Spy Game. It started off as a Kickstarter campaign and doubled it’s original funding goal (well done!) It’s been fairly successful, but I’m not here to talk about that. This post is about how I’ve incorporated Capture the Flag elements to our role playing.

Yes, I’m a grown man who plays D&D-style games. We play D20 games, which are role-playing games that use dice to determine the outcomes of certain actions. They have become increasingly popularized in the media, with Stranger Things being a large contributor. I did not grow up playing D&D, but started playing when my poker group decided to mix it up. Yes that is true.

What is The Spy Game?

The Spy Game is a role-playing game that is built around telling stories set in a today-like world with… spies. That means your players pick what type of spy they want to play, and make up back stories, choose classes (Infiltrator, Assassin, Medic, etc.) Then the Game Master (me) makes up scenarios and missions for them to go on. The players decide what they want to do (e.g. attack a security guard) and they roll a die to see how devastating their attack on the poor guard was. And while this is a gross over-simplification, it’s good enough for our purposes.

Quickly, What is Capture the Flag?

Capture the flag (commonly CFP), is a style of network and systems security penetration-testing simulation for fun. The idea is that a security expert creates a small, simulated computer system that players try to break into, or crack a code to find a “flag”. The flag is the indicator of the player’s success. For example, you might be given a website that has some sort of password protection that is beatable with certain techniques. Once you bypass the security, you discovery a flag. These are often written as {Flag-name} or something similar to allow the players to know they have been successful. You can read all about them on Wikipedia, or play there with Hacker101 or even Google.

Combining CTFs and Role Playing

My roleplaying group is fairly nerdy (does that go without saying?) So I wanted to make the game a little technical and different from our usual swords and sorcery chaos romps. I thought it would be interesting for those in the group who are less technically minded to learn a little about actual hacking, rather than the “roll the dice to try and hack the system” that is built into the game. The more experienced computer-people in the group could screen share as they worked, and the team could work out the problems together. Everyone wins!

It has worked out really, really well. Everyone has enjoyed these CTFs, including me. I’ve only written a few so far, but they include:

  • Breaking a password to get into a security camera interface
  • Finding the GPS coordinates of an arms deal that is going down, hidden in a base-64 string
  • Decoding a message between two terrorists, hidden in an image
  • Cracking a cipher (spoilers) to get the code words for the security team on duty needed for a break-in!

You can find them the few I’ve written so far here on Github.

These ideas were heavily influenced by the excellent CTF run by the one and only Connor Tumbleson, at Sourcetoad.

Writing CTFs with ChatGPT

I would highly recommend adding a real world CTF to your next role playing adventure. But who has the time? Enter AI with ChatGPT. One of the scary things about ChatGPT is that it writes decent code, but it is only as good as the prompts you give it, and it is NOT secure. So basically anything you tell the bot to write for you has an exploit big enough to drive a bus through. This should be scary to anyone using it for production work, but it is amazing for CTFs.

I’ve also used ChatGPT to write quick and dirty interfaces (like the security camera on-off switch). Is it pretty? No! Would I use anything like that for a client or anywhere near a production environment? Hell no! But it’s MORE that good enough for a fun evening with friends, gathered around a Zoom table, working out how to hack into a secret vault.