Is Application Security Risk a Result of Outsourcing?


There’s a common belief in the software development space that when companies choose application outsourcing of their projects, the control they relinquish by doing so results in lower application quality and puts their projects at risk. Once again, however, CAST’s biennial CRASH Report, which reviews the structural quality of business critical applications, has disproved this theory.

Consistent with previous years’ CRASH results, the 2014-2015 CRASH report revealed that “The choice to develop applications in house versus outsourced had no effect on health factor scores.”

CAST Research Labs gathered evidence from 501 applications from companies that had reported source information. The applications – 224 of which were developed in-house and 277 of which were outsourced – were also all similar in terms of their number of lines of code.

The study statistically confirmed that there were no significant differences between sourcing choices on any of the health factors in the sample. Furthermore, when the Total Quality Index (TQI) scores for the two sourced options were calculated, the difference proved to be statistically insignificant – outsourced applications were equal in structural quality to in-house developed applications.


The CRASH report also revealed very little difference between applications developed and maintained offshore versus onshore…put in real-world terms, China and India offer quality on par with IT service companies in Mexico and the US.

Of the 387 applications studied that were developed onshore and the 114 that were developed or maintained offshore, there were no statistically significant differences in scores for Performance, Security, and Transferability between applications regardless of their location.

The only differences in health factors appeared in the Changeability and Robustness scores, but even there the differences were very slight. Onshore applications were slightly more Changeable (2% difference) and Robust (1% difference), both minor factors. The slight difference did also lead to onshore applications having a slightly higher TQI than offshore, but by less than 1%.

So the next time someone tries to tell you that you’re better off keeping a project in-house rather than outsourcing it, CRASH their misconception with the facts!

Complete results of the most recent CRASH report can be downloaded from the CAST web site at

Jonathan Bloom
Jonathan Bloom Technology Writer & Consultant
Jonathan Bloom has been a technology writer and consultant for over 20 years. During his career, Jon has written thousands of journal and magazine articles, blogs and other materials addressing various topics within the IT sector, including software development, enterprise software, mobile, database, security, BI, SaaS/cloud, Health Care IT and Sustainable Technology.
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item