Is Application Security Risk a Result of Outsourcing?

There’s a common belief in the software development space that when companies choose application outsourcing of their projects, the control they relinquish by doing so results in lower application quality and puts their projects at risk. Once again, however, CAST’s biennial CRASH Report, which reviews the structural quality of business critical applications, has disproved this theory.

Consistent with previous years’ CRASH results, the 2014-2015 CRASH report revealed that “The choice to develop applications in house versus outsourced had no effect on health factor scores.”

CAST Research Labs gathered evidence from 501 applications from companies that had reported source information. The applications – 224 of which were developed in-house and 277 of which were outsourced – were also all similar in terms of their number of lines of code.

The study statistically confirmed that there were no significant differences between sourcing choices on any of the health factors in the sample. Furthermore, when the Total Quality Index (TQI) scores for the two sourced options were calculated, the difference proved to be statistically insignificant – outsourced applications were equal in structural quality to in-house developed applications.


The CRASH report also revealed very little difference between applications developed and maintained offshore versus onshore…put in real-world terms, China and India offer quality on par with IT service companies in Mexico and the US.

Of the 387 applications studied that were developed onshore and the 114 that were developed or maintained offshore, there were no statistically significant differences in scores for Performance, Security, and Transferability between applications regardless of their location.

The only differences in health factors appeared in the Changeability and Robustness scores, but even there the differences were very slight. Onshore applications were slightly more Changeable (2% difference) and Robust (1% difference), both minor factors. The slight difference did also lead to onshore applications having a slightly higher TQI than offshore, but by less than 1%.

So the next time someone tries to tell you that you’re better off keeping a project in-house rather than outsourcing it, CRASH their misconception with the facts!

Complete results of the most recent CRASH report can be downloaded from the CAST web site at

Jonathan Bloom

Jonathan is an experienced writer with over 20 years writing about the Technology industry. Jon has written more than 750 journal and magazine articles, blogs and other materials that have been published throughout the U.S. and Canada. He has expertise in a wide-range of subjects within the IT industry including software development, enterprise software, mobile, database, security, BI, SaaS/Cloud, Health Care IT and Sustainable Technology. Jon holds a B.A. in History from Gettysburg College. He enjoys attending sporting events, cooking, studying American history and listening to Bruce Springsteen music.

More Posts

Get Your Free White Paper And Learn How Software Analysis Can Help Your Business

Learn why you need to build security into your applications and how it will help improve and protect your business. Click the button below to get our FREE copy today.

Your Information will be kept private and secure.