January 29, 2003

Making a Living Saving the Government Money

- By Robin 'Roblimo' Miller -
Peter Gallagher is president of devIS (AKA Development Infostructure), a Virginia-based company that designs, develops, hosts, and operates large-scale custom Internet applications for government agencies and private consultants. He says devIS saves its clients a minimum of $100,000 per contract by using Open Source Software. Gallagher also claims none of the Web sites or Web applications devIS has produced have ever been hacked. And here's the real clincher: devIS makes money.

The devIS business model is one Open Source and Free Software proponents have been advocating for years, namely selling software services instead of selling software products.

DevIS has 30+ employees, over $4 million in annual revenue, and enjoyed over 50% revenue growth in 2002, a year in which many IT services companies watched their revenues shrink.

Smart employees discovered Linux

Although devIS had been around since 1992, 1995 was the year the company first started using Linux. Gallagher takes no credit for this. He says, "Several of the guys -- who are smarter than me -- said, 'Let's use Linux! Let's use Linux!' and we put it on our file servers in house, doing the typical Samba and print serving. And it worked, and it just kept working."

Then, Gallagher says, a while later, "for one of our federal clients on a fixed price contract, where we were paid to outsource an application, we started using Open Source without telling anyone. The application worked consistently and we were able to save the client a bunch of money. We used Linux and PostgreSQL to build it."

Now devIS bases its entire business on Open Source software. Gallagher says they use, "typically Linux on the servers, OpenBSD on the firewalls, the PostgreSQL database, JBoss or Zope applications servers, and a whole range of [Open Source] intrusion detection and monitoring software, as well as CVS and other [Open Source] development tools."

Security - not entirely Open Source

On one test site devIS made, Gallagher says, "the Feds hired a company called AtStake to perform an independent penetration test, and they gave devIs an excellent bill of health."

But, Gallagher notes, "Our firewalls aren't all open source. We're also using some [proprietary] hardware and software leased through one of our partners."

He doesn't want to discuss security in detail. "I can't tell you everything," he says. "It would be a security risk."

Gallagher is aware of the ongoing arguments about security through obscurity vs opening security features for public inspection and bug fixing, but he tends to fall on the "obscurity" side of the coin. And personal beliefs aside, this is a touchy discussion area for a company like devIS that relies on U.S. government contracts for most of its income. "We deal with a lot of security issues with the federal government," Gallagher points out. "We file a lot of papers and plans and forms relating to meeting security guidelines. There's a whole industry out there built on documenting and monitoring your security plans."

Development process as intellectual property

Obviously, any competitor can use the same software as devIS. And devIS clients own the licenses for whatever devIS produces for them. The "secret sauce" here is the development process itself, which Gallagher is not sure he wants to reveal. "Hey," he laughs, "that's what keeps us in business. Anyone can do what we do. We have found ways to do it better. That's what makes us unique."

Some of the "secrets" are obvious, old-fashioned common sense, revealed in a presentation Gallagher gave at LinuxWorld in New York on January 23, 2003. In one of his slides, Gallagher displayed the standardized OSS-based "stack" devIS uses to build most of its Web applications:

- Utilize XML / Standards
- Site uses open source projects:

Apache+ (Web server)

- Middleware Servers

Zope / Python
JBoss / Java (Resin)

- XML Blaster - messaging server
- PostgreSQL (SQL Database)
- Linux / OpenBSD (firewalls)
- Analog (Web statistics)
- Intrusion detection/firewalls - numerous

Do the same thing over and over, and you're bound to get good at it. Use the same tools all the time, and you're bound to become proficient with them. This experience is valuable intellectual property, even if most (all?) of it resides in employees' heads.

This kind of intellectual property -- employee skill -- is protected best by treating employees well. Gallagher says devIS has never had a layoff, even during times when business was rough, and that he sponsors at least one retreat or shared vacation experience per year for all employees. He says devIS salaries are not especially high, but that workers there have "a great deal of freedom. And stability."

Pricing and sales methods

DevIS does not "Sell Open Source." It sells solutions and applications that meet specification laid down by clients. Often, in the case of Federal sites and online database applications, those specs have to do with accessibility and security, but as long as they are met, Gallagher says, no one really needs to care about what's on the back end as long as whatever it is does the job and can be easily maintained after it is built. If the most cost-effective solution is Open Source, great. If not, Gallagher is not dogmatic. He points out repeatedly that Open Source and proprietary applications can coexist on a server and work together without any problems, and that if his clients require a proprietary application for a specific purpose, that's fine with him.

On one hand, the service pricing model to which devIS must adhere as a government contractor limits its profit margin to a maximum of 10%, but on the other hand, Gallagher says there is much less up-front risk selling services than there would be if devIS sold its custom applications as products.

The only flaw in this pricing and sales scheme is that many government procurement guidelines require COTS (Commercial Off-The-Shelf) software because, in theory, buying something someone else has already paid to develop is usually cheaper than having custom software written. Gallagher disputes the cost-effectiveness of COTS solutions for the large-scale, usually Web-based applications that are the bulk of devIS's work. He says that, more often than not, the cost of customizing preexisting commercial software exceeds devIS's development cost (using the company's standard "stack") for a custom application.

Gallagher says he is thinking about getting around the COTS limitation by "putting our whole 'stack' on CD so we can say its COTS. And putting it on the GSA schedule [the government's 'master' product purchasing catalog database] for a dollar."

There is nothing to stop Gallagher from doing this, as long as he includes source code, since all of the base software on that CD would be Open Source.

We had to ask: "Are you hiring?"

Gallagher says, "We're always looking for people. We don't have anything major right now, but we expect to be looking for some new people soon. I guess that's a qualified yes."

Gallagher will never be Gates

A successful software service company like devIS, working on a limited profit margin, can't generate as high a return for its owners as a successful software product company. (Note that Microsoft earns as much as 85% margin on some of its products, while devIS is locked into 10% or less.) But as Gallagher notes more than once, the financial risk involved in building a service company is much less than that involved in building a product company.

Another factor, often pointed out by software industry pundits, is that service companies don't scale as well as product companies because there are fewer economies of scale for them to take advantage of as they grow. When you are doing custom work, whether it is programming or wood carving, the labor cost of producing the end result is about the same for a large company as it is for a small company. Indeed, the small company -- with less infrastructure to support and no outside stockholders -- may actually have an advantage.

Perhaps the ideal Open Source company is not a behemoth run by a ruthless, profit-driven executive, but is something like devIS, run by a Volvo-driving, former Peace Corps volunteer like Gallagher, who talks more about money he has saved taxpayers and how well the sites his company has made serve their intended constituencies than about the amount of money he has put in his (or investors') pockets.

The problem is, the big companies tend to get all the major press coverage while small, quiet (but profitable) companies like devIS get overlooked. Not that this matters a great deal to Gallagher. "I think we were in business for nine years before anyone wrote an article about us," he says. "And we're kind of invisible, because you can't 'sign' Web sites you make for the government the way you can put your company's name on ones you make for private businesses."

Even devIS's own Web site barely tells the company's story. "It's really time -- past time -- for us to redo our site," Gallagher says. "The only problem is, we're so busy doing work for clients that we never seem to find the time."

Click Here!