Today many new and great ideas come from problems and siting around with friends, colleagues, or just shampooing your hair one day when it hits you! Bang, society needs this app or widget now, how do we make this? Typically, it will start with some early stage designs, components, and platform for hosting. This will quickly result in a UI design and possibly early web interface to get a feel of this concept. Your idea will be shared with friends, family, and other colleagues and your first users will be registered before you known it. However, did you stop to think about how secure it might be?

When these ideas are born, which is really exciting and overwhelming time in some cases, the time to stop and think about security and privacy is not the go to. It never has, nor do I believe we will change this any time soon from a mindset for developers. However, we much accept then it will have dramatic impacts to security and privacy aspects of the data being collected, processed, and stored for this application. From an engineering perspective, we know that bolting on features will have a negative impact to our application wither those are usability or security features.

Basically, we have gotten into this situation where the rush to market, appeasing investors, or getting customers means we do not think about the future for growth or operating as a business. The goal of the MVP is to get clients on the platform and generate the mighty MRR (Monthly Recurring Revenue). This MVP is good for this purpose but had many limitations that are not discussed and the down stream implications are dramatic for these apps which are now companies and have larger clients asking about the security posture of their app and company. The company at this point hits the proverbial “cyber wall” and scrambles to scale it fast.

The Cyber Wall, is being experienced by more and more companies as the race to market drives all activities but typically security and privacy are not invited to this dance. Unfortunately, many companies have being made to believe that SSO and SSL are security. Security (while not exciting) needs to be risked based not just a follow the crowd approach that works with many investment firms and end users. The mindset has become one of “once we sell this” it will be someone else’s problem and that is usually the end users data being exploited. I have seen this more times that I care or that we need to experience.

How do we turn the corner on this and get started right on the right path? Here are some of the aspects that need to considered or the questions you need to ask your self or your team at the early stages of development. This is based on the countless companies we have had the fortune to work with and help over the years. It represents the basic pattern of thinking and approaches used by many early stage companies.

1. What data will be collected, processed, and stored?
2. What regulatory requirements are required for this sector for the application and for the data we identified as being collected?
3. Will you be using 3rd party software components? If so, where do they come from and how can we validate they have not been tampered or modified?
4. How do we ensure our code base is tampered with?
5. How will we threat model our solution? And validate our assumptions?
6. How can we test our solution to ensure our threat model was validated by unit testing or other test approaches?
7. What base policies do we need to ensure that all the above have been addressed?

Yeah, that is lots but I want to discuss these in a series over the next few months. If you are not aware many governments globally are moving to a system of secure-by-design approach and this will have an impacts to all industry sectors creating software in some form. As usual, I will be using known standards that will help you in all of these. You do not have reinvent the wheel the know how is there you just need to learn how to leverage it.

If your not thinking secure-by-design start doing that today. I hope that this series will be a helpful start for think in this way and also for planning your new cool app and company before it launches.

The encryption debate is in full swing as we once again face the real challenge that governments need access to all of our data, on all devices in real-time including the ability to monitor all communications for signs of a threat to citizens and the nation.

From a policy perspective, we as consumers and citizens need to better understand the risks and exposures we might face. First of all, we are not talking about lawful access where a warrant is used to monitor the activities of a specific user or target of interest. We are talking about the open blatant use of techniques that will allow for wholesale capture and recording of all of your data transmissions.

Governments are asking that tech companies add a capability that will allow them to gain unfettered access to these servers to capture data at will and share or process this data with unknown sources including not having to provide notification to the end user. Psst some companies have already been doing this for years and just not telling you. This started in the 70s using an obscure ruling as precedent to now have all companies collect data as the “owner” of the data. It is buried in the EULA in pure legal speak that you clicked on to get access to their service.

Think about that for a second, would you like the government to monitor all of your banking transactions? What about the sexting with your spouse or significant other, or your company files stored on personal cloud storage services. Could this be used against you? Could you be charged or arrested? These are the big unknowns of such a broad data collection and history has proven that data collection schemes were used for nefarious reasons when needed by governments of questionable intentions.

We need to ask for openness on the intention of the data capture, who is impacted, what does this mean for service providers, and who it is the data being shared with. A policy framework should require that all proposed encryption schemes being recommended be peer evaluated to ensure that the design does not lead itself to backdoors, data collection, or meta data deciphering.

I would advise all citizens and business owners to learn more about this topic and get engaged in the discussion. These laws will change your life regardless if you realized it or not.

We need to have voice our concern before it is too late, in some jurisdictions it already might be. I also want to lying to stop and agencies to just come open on the topic. Just be truthful to Canadians of the data collection and when and where it is happening so we can make informed decisions to use the technology or not.

Here are some links worth checking out:

  1. Government recommendations for security and privacy – What is government of CA really asking for?
  2. Keys under door mats – What top crypto experts think of the issues at hand and potential risks
  3. “I have nothing to hide” – Good insight to personal privacy in the digital age

Please reach out to your MP or MPP and ask them what their stance is on the topic and what they are prepared to do to protect your privacy.