Why an MVP approach will never result in Secure-By-Design Products
Today many new and great ideas come from problems and siting around with friends, colleagues, or just shampooing your hair one day when it hits you! Bang, society needs this app or widget now, how do we make this? Typically, it will start with some early stage designs, components, and platform for hosting. This will quickly result in a UI design and possibly early web interface to get a feel of this concept. Your idea will be shared with friends, family, and other colleagues and your first users will be registered before you known it. However, did you stop to think about how secure it might be?
When these ideas are born, which is really exciting and overwhelming time in some cases, the time to stop and think about security and privacy is not the go to. It never has, nor do I believe we will change this any time soon from a mindset for developers. However, we much accept then it will have dramatic impacts to security and privacy aspects of the data being collected, processed, and stored for this application. From an engineering perspective, we know that bolting on features will have a negative impact to our application wither those are usability or security features.
Basically, we have gotten into this situation where the rush to market, appeasing investors, or getting customers means we do not think about the future for growth or operating as a business. The goal of the MVP is to get clients on the platform and generate the mighty MRR (Monthly Recurring Revenue). This MVP is good for this purpose but had many limitations that are not discussed and the down stream implications are dramatic for these apps which are now companies and have larger clients asking about the security posture of their app and company. The company at this point hits the proverbial “cyber wall” and scrambles to scale it fast.
The Cyber Wall, is being experienced by more and more companies as the race to market drives all activities but typically security and privacy are not invited to this dance. Unfortunately, many companies have being made to believe that SSO and SSL are security. Security (while not exciting) needs to be risked based not just a follow the crowd approach that works with many investment firms and end users. The mindset has become one of “once we sell this” it will be someone else’s problem and that is usually the end users data being exploited. I have seen this more times that I care or that we need to experience.
How do we turn the corner on this and get started right on the right path? Here are some of the aspects that need to considered or the questions you need to ask your self or your team at the early stages of development. This is based on the countless companies we have had the fortune to work with and help over the years. It represents the basic pattern of thinking and approaches used by many early stage companies.
1. What data will be collected, processed, and stored?
2. What regulatory requirements are required for this sector for the application and for the data we identified as being collected?
3. Will you be using 3rd party software components? If so, where do they come from and how can we validate they have not been tampered or modified?
4. How do we ensure our code base is tampered with?
5. How will we threat model our solution? And validate our assumptions?
6. How can we test our solution to ensure our threat model was validated by unit testing or other test approaches?
7. What base policies do we need to ensure that all the above have been addressed?
Yeah, that is lots but I want to discuss these in a series over the next few months. If you are not aware many governments globally are moving to a system of secure-by-design approach and this will have an impacts to all industry sectors creating software in some form. As usual, I will be using known standards that will help you in all of these. You do not have reinvent the wheel the know how is there you just need to learn how to leverage it.
If your not thinking secure-by-design start doing that today. I hope that this series will be a helpful start for think in this way and also for planning your new cool app and company before it launches.