secure by design
I read an article “… interim cyber security strategy to tackle emerging cyber risks” earlier today anD was interested to read towards the end of the article the following comment:
While emerging technologies present significant opportunity, when the development, roll-out and management is not secure by design, the risks can quickly outweigh the benefits.
Whilst the comments are about the sea change we are undergoing as part of the battle against cybercrime and data protection, heighten by the forthcoming legislation – General Data Protection Rights (GDPR) – it also, perhaps reflects a fundamental change to the anarchic approach that agile software development has created.
At the beginning of my career as a software developer, methodologies were far stricter and used more traditional approaches to avoid costly mistakes. Software projects underwent rigorous user acceptance testing in safe environments before been released.
During the mid-nineties distributed applications started becoming the “norm”, accessed via a web browser. By the time I founded Ayrmer Software in 2002, nearly all bespoke projects I was involved in were developed as intranet / extranet applications, accessed via a web browser.
One of the key objectives behind Ayrmer Software was to provide small businesses with applications, previously only accessible to corporates with big budgets.
Approaching software development using a more lean, agile and dynamic approach enables small businesses to have applications built around their needs. We could chunk development up or down, depending on resources, enabling businesses to run with Minimum Viable Products (MVP) or solutions. In fact we developed one such application in 2012, before re-writing the application in 2016 using the lessons learnt from the prototype or MVP, with huge benefits that have enables us to create a flexible solution that learns from data gathered in the process.
However, small businesses’ have a fundamental lack of understanding of the challenges of developing a solution that is secure by design and remains so, as the solution evolves in line with the business requirements. The increased threat of data breaches and cybercrime pose a risk for small businesses, no less that the high profile corporations like Uber, TalkTalk or Equifax. One could almost questions whether Eric Raymond’s book - The Cathedral and the Bazaar – are viable any longer, although with the right control measures in place the open source movement is crucial to software development. But, people like to cherry pick what is perceived to be the beneficial elements and discard the less palatable. I’ve seen this happen time and time again over the last fifteen years, having to argue about something as simple as password security time and time again.
The biggest issue for me now, is that small business have come to expect software development on a shoe string, disregarding requirements capturing, specifications, prototyping, user acceptance testing, penetration testing and alike as they are seen as unnecessary and needlessly expensive. Without these safe guards how can software solutions be secure by design?
We are often asked to implement fundamental changes to software as part of on-going technical support and safe guards are side stepped in the process. It’s fine, until one day a small piece of code is implemented that has unintended consequence and then all the previous warnings are forgot and the finger of blame is pointed squarely at the software developers!
Having recently reviewed our entire business – in light of General Data Protection Rights (GDPR) – we have updated our terms and conditions to reflect the new legislation. A key consequence of GDPR is “privacy by design and by default” and the introduction of Data Protection Impact Assessments. No longer can you – as a business and the data controller – side step these issues, as you are responsible for ensuring “privacy by design and by default”.
This will inevitably result in increased cost of development and ownership of software solutions, but one would hope also increase security of our personal data, which cannot be a bad thing, in light of data breaches like Equifax.
childcare on-line booking
Find out more about how our clients have processed more than 250,000 bookings and generated more than three million pounds in revenue for our clients!
Our expertise lies in our ability to interpret your business requirements and provide a solution that meets your needs; find out how we achieve this level of understand. It's what makes us different ...
Find out about how we approach software development to ensure that the solution matches your business requirements.
Our philosophy is based upon the needs of your target audience and understanding their requirements that ensures we deliver an intuitive solutions that focuses on the User eXperience (UX), whilst developing lightweight, robust, secure on-line database applications.
Legal information required by the Companies House Act in the United Kingdom that include: place of registration, registered number, registered office address.