How Can Application Security and Scrum Live Happily Ever After?
Author: Erik-Jan Davids; Editor: Isaac Simon
Application Security and the MVP
As IT experts operating in the cloud, we help organizations solve business problems with technology. Over the years, our industry has successfully adopted many problem solving techniques, many inspired by other industries. One such technique which is gaining popularity is to develop what’s called a Minimum Viable Product (MVP). An MVP is a product with just enough features to satisfy early customers, that can continuously improve based on customer feedback.
This approach is highly advantageous because it allows developers to deliver products quickly with minimal upfront investment and reduced financial risk. Like any methodology, however, the MVP way is not without its challenges. One such problem is cyber security, or application security (AppSec).
Start with Security
While cyber security is becoming more of a hot button issue due to large scale hacks, in IT projects AppSec is often still an afterthought. There is a large portion of developers and companies that tend to focus on solving short term problems, without immediately considering what new problems the solution may introduce.
In traditional, larger-scale companies, an in-house IT organization builds fences around the facilities in which they host their products and data. While not ideal, in traditional projects there has always been time to catch up on AppSec before projects can be released to production. In the development of MVPs, the timeline to a first production release can be as short as four to eight weeks.
Now that it has become so easy for businesses to quickly roll out new applications in the cloud, with Mobiquity and other companies eschewing steamy server rooms for cloud services such as Amazon’s, it’s more important than ever to consider cyber security from the start of development.
Minimum Viable Security for Your MVP
Security is an unfair game. Companies have to do everything right, while an attacker only needs to find one weakness to exploit. Of course, the risk of an actual breach or hack will depend on things like the value of your assets, the attacker’s motivation, and how much work has been put into security measures.
Think about it this way. When you park your bike in Amsterdam, you know there’s a high risk of it being stolen. You can probably delay the inevitable with expensive locks and cosmetic changes to the bike to make it look worse. If your attacker is motivated enough, though, then your bike will still get stolen. With cyber security, the mindset is more or less the same. It’s almost impossible to defend yourself completely, so if you are running a business, you have to think about the most valuable assets, and start security measures there.
In developing our MVPs, we only develop a small number of features at a time, and we deploy to production fast. Security controls unfortunately do not scale linearly with a number of features in the application, and a larger upfront investment is often required.
When deploying to production fast, businesses have to understand the potential increased risks in security. We work hard to help them quantify this so they can make the best and most informed business decisions. Understanding the risks and implications of providing tech services and giving customers the knowledge, structure, and tools to be safe while going fast is a priority for us.
In our mission to continuously adapt and improve, we collect feedback to make our products better, and analyze risk to strengthen our security controls. New features, increased application use, and evolving threats can heighten the security risks and drive the need for more or better controls.
It is important to manage the expectations of each client and ensure that security is part of their business plans.
Application Security as a Commodity
There are simply not enough AppSec experts around to give personal attention to every single IT development project. This is why at Mobiquity we push to get the information out to everyone working in the organization.
We set ourselves the challenge of understanding the risks and implications of providing tech services and helping customers make the best and most timely decisions. Developers have to adapt to many customer environments, so we develop standardization and reuse practices; accumulated knowledge can then be used again. This leads to fewer mistakes along the way, and increases in efficiency.
Cyber security is something the entire team should feel responsibility for, and it must be an integrated part of refining, prioritizing, and delivering the product backlog. Some engineers on staff even go on the offense with security, thinking like potential attackers. This helps teams make decisions about which threats to mitigate.
Based on project experience, Mobiquity provides tailored guidance for its engineers, so teams become more self-supporting and experts are available when and where they are most needed.
Erik-Jan Davids, Mobiquity’s data protection officer and quality management lead, has been interested in technology and computing since early in his career. Before joining Mobiquity, he worked for a variety of tech and telecom companies, from big firms like TomTom to small-scale tech companies where colleagues tinkered in close quarters.
With a background in computer engineering and IT, Erik-Jan followed his tech passions in many different directions.
Contact info: here
(We hope you enjoyed reading this, and don’t forget to follow us if you’d like to read more interesting stories.
If you are looking for a Software Security Engineer job opportunity in the IT industry, come to join us at Mobiquity:)