Testing competitions can improve code, but crowdsourcing brings
new concerns to security governance, reports Deb Radcliff.
ownsizing of corporate structures hood of 20 competitors,” says Tony Jefts, director of global research for
coupled with a stronger-than-ever TopCoder’s director of software opera- EquaTerra, an outsourcing analysis and
need for agile development has tions. “Our community will rigorously services ﬁrm.
allowed an extreme form of outsourcing, score and test those submissions, and “With crowdsourcing, you’re exposing
known as crowdsourcing, to gain traction some of the members will do line-by-line your application to a broader group of
in the third-party development economy, vetting. The submission with the highest programmers over whom you have less
according to analysts. score wins.” knowledge and control,” he explains.
With crowdsourcing, code is exposed In addition to offering reliability In TopCoder’s case, contestants are
to groups of developers and testers in bonuses as part of the development vetted by online registration, through
the form of contests. The beneﬁt of more award, TopCoder also offers additional signed documentation and through
contestants – that is, developers and awards – $2 per bug or hundreds of dol- reputation over time. In some cases, and
testers – reviewing the code is more reli- lars – to the top contestant in bug-ﬁnding in some countries, a notary is required,
able applications, experts say. The more contests for speciﬁed modules. and in others, customers may speciﬁcal-
who review, the more bugs they catch and “When we put a contest out there, ly request only coders who have passed
the harder they make it for a bad apple to we’re structuring it to ﬁlter in the best background checks. Such requests can
hide intentional back doors. talent for that particular piece of work,” increase the cost of the competition
On the other hand, there are concerns explains Jefts. “Any project we do is a and narrows the pool of candidates
around turning over code development series of different contests to tap into
to an anonymous pool of contributors. this crowd.”
And while crowdsourcing may result in One of the concerns
more reliable code, the model doesn’t that comes to mind in
support formal security review during this model is who
and after development. That’s because is vetting the
most of the clients acquiring web, iPhone vetters, asks
and some client/server apps through Stan Lepeak,
crowdsourcing do not think these tools managing
require security review.
TopCoder, an established crowdsourc-
er, offers a good model of how the process
works. TopCoder operates a community-
based model to attract developers to con-
tests that match their skills and interests.
“When you get more into the engineer-
ing, design and development contest calls,