secure by design

I read an article interim cyber security strategy to tackle emerging cyber risks earlier today anD was interested to read towards the end of the article the following comment:

open quoteWhile emerging technologies present significant opportunity, when the development, roll-out and management is not secure by design, the risks can quickly outweigh the benefits.close quote

Whilst the comments are about the sea change we are undergoing as part of the battle against cyber crime and data protection, heighten by the forthcoming legislation General Data Protection Rights (GDPR) it also, perhaps reflects a fundamental change to the anarchic approach that agile software development has created.

At the beginning of my career as a software developer, methodologies were far stricter and used more traditional approaches to avoid costly mistakes. Software projects underwent rigorous user acceptance testing in safe environments before been released.

During the mid-nineties distributed applications started becoming the norm, accessed via a web browser. By the time I founded Ayrmer Software in 2002, nearly all bespoke projects I was involved in were developed as intranet / extranet applications, accessed via a web browser.

One of the key objectives behind Ayrmer Software was to provide small businesses with applications, previously only accessible to corporates with big budgets.

Approaching software development using a more lean, agile and dynamic approach enables small businesses to have applications built around their needs. We could chunk development up or down, depending on resources, enabling businesses to run with Minimum Viable Products (MVP) or solutions. In fact we developed one such application in 2012, before re-writing the application in 2016 using the lessons learnt from the prototype or MVP, with huge benefits that have enables us to create a flexible solution that learns from data gathered in the process.

However, small businesses have a fundamental lack of understanding of the challenges of developing a solution that is secure by design and remains so, as the solution evolves in line with the business requirements. The increased threat of data breaches and cyber crime pose a risk for small businesses, no less that the high profile corporations like Uber, Talk Talk or Equifax. One could almost questions whether Eric Raymonds book - The Cathedral and the Bazaar are viable any longer, although with the right control measures in place the open source movement is crucial to software development. But, people like to cherry pick what is perceived to be the beneficial elements and discard the less palatable. I've seen this happen time and time again over the last fifteen years, having to argue about something as simple as password security time and time again.

The biggest issue for me now, is that small business have come to expect software development on a shoe string, disregarding requirements capturing, specifications, prototyping, user acceptance testing, penetration testing and alike as they are seen as unnecessary and needlessly expensive. Without these safe guards how can software solutions be secure by design?

We are often asked to implement fundamental changes to software as part of on-going technical support and safe guards are side stepped in the process. It's fine, until one day a small piece of code is implemented that has unintended consequence and then all the previous warnings are forgot and the finger of blame is pointed squarely at the software developers!

Having recently reviewed our entire business in light of General Data Protection Rights (GDPR) we have updated our terms and conditions to reflect the new legislation. A key consequence of GDPR is privacy by design and by default and the introduction of Data Protection Impact Assessments. No longer can you as a business and the data controller side step these issues, as you are responsible for ensuring privacy by design and by default.

This will inevitably result in increased cost of development and ownership of software solutions, but one would hope also increase security of our personal data, which cannot be a bad thing, in light of data breaches like Equifax.

Date: 04/12/2017


If you like to get in touch, please telephone our offices on +44 (0) 1364 582017 or complete our on-line form and we'll get back to you as soon as possible.


Stay in touch with what we're up to at Ayrmer Software by following us on one of our social media feeds: we'd be delighted to welcome you as a follower on twitter, become friends on facebook or add us to your circle on Google+. You'll also find us on Linkedin, of course.


Ayrmer Software have been perfect for our needs as an after school and holiday club. The technical support team is always on hand to guide us through any issues we've had and to teach us how to get the most out of the system. Nothing is too much trou...

Caroline Varda Owner
Allsports Kids

Read more ...