The question of building an application vs buying an application does not come up very often but when it does it is a difficult conversation to have. I would understand if the discussion were public domain vs commercial products. That is a discussion that I have on a regular basis. I got some training on Oracle Web Center the other day and kept comparing it to uPortal. Yes there are differences. Yes one is a commercial product and the other is public domain. Yes there is value in both. The argument then comes down to dollars and training. When I was at Texas A&M I deployed a prototype of uPortal. It was more of a political fight than it was a technical challenge. We also deployed the Yale CAS server for single sign on. It was a relatively easy solution and required very little political battles. It mainly required a mandate from the university that we would no longer ship out password files and would restrict who could connect to the LDAP and Kerberos servers. This was an easy one. It increased security of all services on campus while increasing security of existing services.
I was at a customer the other day and they were talking about writing their own hardening solution for identity. They wanted to write a solution that presents a custom image or challenge word embedded in the html to prevent a man in the middle attack. This technology is used by many of the larger banks because it has been mandated for financial data. They want to use the technology for human resources data. It makes sense because they need to protect social security numbers.
What didn’t make sense was that they wanted to build their own solution for this rather than purchase one that already exists. The technology isn’t complex. It does require some java or asp code, a database, and a way of injecting the image into the authentication screen. This is effectively what CAS does without the custom images. It would be a simple step to change CAS to support the changing images or pass phrases but challenging to present a floating keypad or keyboard. Oracle provides this with the Adaptive Authentication Manager. This product provides the floating keyboard, challenge questions, and custom images as well as a risk analysis tool. I don’t want to get into the detail of the product because you can find it yourself.
My question is how do you justify building something or buying something. If the product will cost you on the order of $100K (which I have no clue how much it does cost). How many programmers does this translate to and how much support cost is required to reproduce something like it. If we look at a parallel, if a car cost $50K, how many mechanics would it take to get a car from the junk yard and build you a new one or build one from scratch from a kit. When was the last time you saw a kit car or kit airplane? I see a bunch of custom homes and spec homes being built but the vast majority are as is with customizations. I think software is similar to this.
In doing some research on the cost of software and how much a developer can produce on a daily basis, the numbers are difficult to pin down. They range from $20-$100 per line of code to 15-40 lines of code generated per day. If we look at the CAS code, it has about 50K lines of code. This suggests that to develop this software it would cost $1M conservatively and take about a thousand days. You can parallelize this and assign three or four people to this and reduce it to 250 days. This says that in a year you could re-write the CAS code from scratch and come out with a production quality supported package. Alternatively, you could spend $50K and assign a full time staff person for a year to test, implement, integrate, and deploy this system into your production environment.
It makes sense to me that buying is the way to go. Unfortunately, I am on the vendor side and am having trouble seeing the value in building my own software, or car, or computer, or phone system, or bicycle from scrap parts. I guess I have been away from the university too long…..