A brief exploration of the radical differences in contract software engineering quotes.

Software companies are everywhere these days. If you add in the number of freelancers on contractor sites, craigslist, or the guy your friend knows, they are like grains of sand on the beaches. And they all get the same question every day: “How much would it cost to build an app?”

This is a question that has been addressed on a thousand blog posts, mainly by frustrated engineering firms who struggle to understand how people can ask such a question. They give answers like, “How long is a piece of string?” or “How much does a house cost to build?” These examples are designed to show that the cost of something custom varies wildly based on what the specification is. This, however, is only the most surface level answer to that question. The real cost multiplier, and the hardest part to explain and quantify, is quality.

Quality of development is not simply a measure of your experience (e.g., How nice were your agency’s offices? Did they perform frequent check-ins? Did you feel good about the process? etc.). I’m talking about the actual quality of the code itself – not just the final product’s look-and-feel.

If you are paying a lot of money (relatively speaking) for a custom built application, it should be obvious that it was made with a thoughtful user experience and appropriate graphic design, while not throwing errors or leading to dead ends. Right? Unfortunately no. Even though this should be the bare minimum, getting the basics handled correctly is rare in my experience. As sad as that is, these signs of quality are something that you can shop for. You should be able to see examples of your potential agencies’ previous work or of your freelancer’s portfolio. But you need to test them in real life, as if you were a real user, before committing. Do not believe anything you see in a PowerPoint presentation.

The biggest difference in software design company prices is the quality you don’t see. These are the tougher to articulate items. What I’m talking about here is the commitment to engineering best practices and processes, the quality of the code, and the thinking behind that code.

A decent developer can build many of the same applications that a great developer can – especially your typical business software system. It might even take the two teams the same amount of time to complete the same project. And the apps might be indistinguishable when they launch. Great code, a real belief in process and best practices, and solid team management is not as apparent in the first iteration of a product, but it becomes glaringly obvious in later releases.

As a product matures, new features are added, interactions with other systems are required, and user bases grow in size. These three fundamental points are rarely considered by your average development firm or freelancer.

When you add new features to a piece of software, you will often need to change the database structure or the APIs of the original design. These can result in large scale, breaking changes; meaning updates will break previous versions of the application. This type of work often requires huge time commitments to testing the new versions, providing triggers and fail-safes for existing users, and of course writing all new code. Top class developers on the other hand design their systems from the get go to be extensible. They plan multiple API versions from day one, have contingencies in place for breaking changes at inception. They may have already built your system to be multilingual (even though it is only launching in one language) because they know it would be a huge undertaking to add on later. They will take into account accessibility standards, security, and data optimization.

The ability to interact with systems outside of the application’s native environment is another frequently overlooked engineering problem. Abstracting your APIs with middleware might take an extra day or two at the beginning of your design process, but it might save you months of work down the line when you want to change out a data provider. Documenting the process as you go along, explaining to future developers how this should work, is easy when you’re building it. It becomes a huge task of reverse engineering if you have to do it a year later.

Finally, we should talk about scalability. A well-designed system will have architectural structures in place that are designed to expand or to leverage scalable hardware systems, while balancing the long-term costs of growing. A lesser development firm will have a “cross that bridge when we come to it” attitude or will throw expensive additional monthly hardware costs at a problem that could have easily been avoided in the design process.

Conclusion

The problem with picking a software engineering firm is that they are not going to bore you with the details of their documentation process in the sales pitch. I haven’t even touched on things like automated testing of code, good relationships with distribution partners, well qualified project managers, and penetration testing as a standard practice. The problem is that almost no one is going to include these invisible quality requirements into a specification they put out for bid. Yet, these are the strongest determining factors in the long-term success of any software project. I promise.

Your options are to have a really solid technical lead on your team to evaluate the work being done or to pick a company that does go into these details in their sales pitch. You should be aware that doing things the right way is going to cost more up front, but it will save you double or even triple the time in the future if you do it the wrong way.

Previous ArticleNext Article
I help cruise lines turn their technical ideas into reality. I'm experienced in all stages of innovation and technology management. I've also been programing since I was 8 years old, and have somehow retained the ability to have normal human interactions. Occasionally I speak about how Industrial Psychology and Neurophysiology can be interrogated with IT and systems management, because I spend a lot of time thinking about the subject, as strange as that may seem.

Are School Bus Tracking Systems Dangerous?

There has been a lot of hype recently in Tampa Bay about the “Here Comes the Bus” app. This is system that allows parents to see when their kids have gotten on a school bus, and where the bus is. Some parents are concerned that systems like this one could let malicious users, or government agents track their children. So I’m going to give a quick overview of how systems like these work, and why they are not dangerous. We will also look at what parents SHOULD be concerned about.

How it works

The system is fairly straight forward. Students have either a barcode or a passive RFID chip printed onto their “Bus Pass” – which is just a card they carry around. This card is scanned once the student boards the bus, either with an RFID reader or a barcode scanner (basically the same technology used at grocery stores and clothing shops).

The barcode or the RFID chip carries a simple ID number. This number does not represent the student in any identifiable way – it’s just randomly assigned. The RFID scanner is connected to an internet-enabled device and sends the ID number securely to a server.

Keep in mind, if any data is intercepted up to this point, it is of no use to an attacker. The attacker would at best get a random number that means nothing.

On the other side of the system is the parent’s app. This app is connected to Here Comes The Bus‘ servers, which lets them know that their child is on the bus. The bus also has a GPS tracker on it, which connects to the internet and lets the Here Comes the Bus‘ servers know where the bus is.

That random ID number is then looked up in a database which lets the application know which child has been assigned that ID number. The parent’s device securely requests that information, and it is provided securely down to the app.

It is possible the data coming down to the parent could be intercepted by an attacker. However, as this technology is very secure and is commonly used in almost every piece of software these days (from your health systems to banking apps), it is HIGHLY unlikely.

Could you track kids using their cards?

Some of these bus passes contain a chip, and that sounds scary right? Well, you don’t have to worry too much. These chips are passive RFID chips, the same type of technology that is imprinted in clothing labels to stop theft. Passive means that they need to be picked up by a powered scanner. In order to track a child, you would need to know their ID number (the randomly assigned one), and then set up expensive, high-powered scanners all around town. So it is possible, but there are WAY cheaper and easier ways to track someone. So this seems incredibly unlikely.

Could you track kids if you hacked into the Here Comes the Bus servers?

So the one thing that COULD happen is the Here Comes the Bus’ servers could be hacked. An attacker could break into the database and potentially be able to work out where a child has been, but this does not necessarily mean they will be able to find information on a particular child either. This data is hopefully encrypted, or linked to the school’s secure systems. I can’t speak to how this system has been secured and architected. My best guess is the system was designed with the understanding that this is sensitive data, and great care should be taken over the security. There are also a number of regulations in place that govern the usage and security of student and child data. The Children’s Online Privacy Protection Act of 1998 (COPPA) provides strict regulations regarding a child’s data. The Family Educational Rights and Privacy Act of 1974 (FERPA) gives parents certain rights with respect to their children’s education records. These two regulations will have been taken into account by the developers and the school board when evaluating this software.

Should I be worried about this?

No system is perfect and inherently has its risks, but these risks need to be balanced against the rewards. I think that the safety aspects of this application far outweigh the highly remote possibility of the system being misused. There are WAY easier ways to track people than trying to exploit a system like this.

So what should I be worried about?

There are real threats and issues out there for you to be worried about. Kids download all sorts of things to their devices, and these downloads represent real, actual threats. Malware embedded in games, social media apps, and even downloaded backgrounds can track your exact GPS location, leak your phone number, show inappropriate content, or steal personal information.

Instead of worrying about the government tracking your kids while you send them to a Public school, take a look at your kids’ actual devices. Install something like Norton Security Online and Norton Security for iOS or Android, or Malwarebytes. Also talk to your kids about what apps they’re using, and listen to hear for anything strange about their data usage, or content that is coming up unexpectedly, or unusual phone calls they’re getting. These are indicators of real threats to kids’ information and of valid concern by parents.