It’s a nightmare for any company. A data leak. Since last year, European companies have to adhere to strict rules on handling data leaks. Of course, once you have a data leak it is already too late. So what do companies have to do to improve the security of their applications?
Security is not a feature
I have stated this important fact before, but it is paramount to understanding the problem. Security is not something that can be added to a project later on. It is not a feature. It has to be built in from day one. Developers have to work with security in mind all the time, because security is not a an application layer or a module. Security has to be part of all layers and modules of an application.
The cost of security
If developers have to take security into account with everything they do, this mean they have to take time doing so. And that results in the old adage that time is money applying to adding security to your software project. It is simply time consuming, and therefore takes more money to build a secure system than to built an insecure system. It’s not that developers will intentionally build an insecure system, it’s just that it’s very easy to oversee small mistakes, which can lead to big security risks.
What’s more, software applications have to be kept up to date as new attacks are devised every day. Open source software used in projects may need to be updated to a new version to prevent attackers from exploiting a vulnerability that has been solved in a newer version. However, with newer versions and fixed for vulnerabilities, often changes need to be made to the application that uses the open source software. It’s usually not just a simple case of updating to the latest version. There can be incompatibilities between versions that need to be resolved.
All of this costs time, even after the project has been delivered. It costs time that does not result in new features, allowing users to be more productive. Which means that these costs are often seen as ill-spent.
When security becomes important …
… it is already too late. When something goes wrong, slapping on some extra security is almost impossible. And even if it were, the damage has already been done. And the costs of data breaches can be a lot higher than the costs of keeping applications and systems up-to-date with the latest security updates.
If your company is going to implement a standard application, have custom-built software developed on top of a standard application or have an application custom-built from scratch, make sure to take into account the costs for security. Ask the developers about the security measures they are taking during development. Even if no new features will need to be added, maintenance will always be required to make sure a secure application stays secure in the long run.
It’s vital that companies realize that security doesn’t have a one-time solution. It requires constant vigilance.