Having lead a highly skilled team for over seven years...I've seen the power of enabling our customer's business goals both with out of the box configuration and via tailored coding. Where possible configuration will generally lead to lower Total Cost of Ownership (TCO) and greater Return on Investment (ROI). That being said, there are still times when the only and / or most optimal way to deliver a requirements is with tailored code. Here I'll just mention some items for consideration of such coding.
First of all, why am I using the word 'tailored' code and not 'custom' code. It is both a legal statement and implies a different meaning. When leveraging the term 'custom' the implication is that any modifications and / or additions are being made to the core product. This renders all support for said product invalid and makes the adjusting organization responsible to the entire product. It also may create either licensing and or liability concerns. With 'tailored' I are speaking of an API-based or integration approach to modifications. In such a model the individual performing the modifications becomes responsible for any code additions but does not invalidate the core product's support contract. Of course the modifier still remains responsible to support / maintain their own code and any impact it may have on the system but in many cases the organization may still seek support for the base product.
If a customer is going to have tailored code created to integrate with a system, it is recommended that they either work with a trusted organaization to create, support and maintain such code for them or provide for the following items:
- Understand that tailored code, as with other systems, will require an investment in people, process, and technology.
- Have a team with the proper skills and training to manage such code. A team is important as many organizations have relied upon a single individual and place their company at risk should that individual leave the organization for any reason.
- Determine what process / standards will govern such code.
- Have a source code management system. Source code, doccumentation (design, build, implementation) should all be checked into such a system.
- Have a configuration management database. Document that such code exists along with any 3rd party library dependencies so that the organization can measure risk and impact.
- Vulnerability scan all such code. While this should go without saying, we continue to see companies leverage open source code and not take accountability for their usage of it.
- Depending upon the size and extent of the tailoring an organization may wish to invest in automation. There are three areas where automation can be implemented with different levels of return on investment. If full automation is implemented then the turn around and impact during upgrades is greatly reduced. Some areas where automation can help are: build, vulnerability detection, deployment, and testing.