Did you ever stop to think that most apps and digital experiences can function without any security features? This makes it frighteningly easy to underestimate the importance of security unless you make it a priority.
Even when security is top of mind, companies can be taken by surprise. Zoom's security features might have been sufficient for business users, but the company had to scramble to respond to security issues when schools and families suddenly started video conferencing in droves.
The reality is that, outside a few highly-regulated industries, choosing the right amount of security is subjective and most applications have flaws. Three-quarters of applications have at least one flaw, according to Veracode’s State of Software Security v11. Managing security debt wisely is the key to building digital products and experiences that can scale, faster.
Software application security is vital to delivering digital experiences that scale
Choosing the right amount of security for your app or digital experience is vital to scalability. Growth happens at different paces across different dimensions of scale and, as we saw during the pandemic, it isn’t always predictable. An increase in users on a platform will require more governance features. Scaling to global markets means meeting new legal and regulatory requirements. The bigger your brand or product grows, the greater the damage can be from a security risk.
Prioritizing security during application planning leads to better decisions on what to implement or not implement, and when. Assessing the likelihood and impact of risks helps builders make informed decisions on how much security an application needs at each point in its lifecycle.
Putting off security features early in a build racks up security debt that will need to be paid as the app or product scales. Underestimating the time it takes to implement security after the fact can be a costly mistake. It can slow down scalability, jeopardize reputation and cost more to fix than to do it right from the start. Hubspot puts the cost at $6-$23 per line of code that needs to be rewritten.
Think about end users to identify future software security needs
Developers are often encouraged to get a minimally viable product to market fast. When security concerns are intentionally saved for later, it's still important to scope out those needs. This enables you to understand the security debt that will need to be paid if that product succeeds and scales.
Security supply chain: If you build an app and others build on it, you are part of the security supply chain. How you manage security on your app or software will impact the rest of the security supply chain. The security of the apps you use in building your product (your security supply chain) will also impact the larger security supply chain. This works in the same way as fair-trade or organic product labels: Failure by any of the suppliers means failure for the end products that use those suppliers.
This is where investing in security can be a differentiator. To serve enterprise customers, Contentful has to meet rigorous security requirements and show that we are a trusted part of the security supply chain. We chose to go beyond what many platforms offer and are now ISO 270001-compliant, a security designation that sets us apart.
Consumer concerns: Think about risk, financial impact and reputation. What security features are needed to protect the company against problems that would negatively impact the brand? At a basic level you don’t want your app to expose users to cyber attacks, to permit data breaches or to allow users to deface the website or experience. Users will expect a reasonable level of speed and up-time and want to know how you protect their privacy.
Future developers: Developing software without considering security brings unknown risks and incurs security debt that a future developer will have to deal with. Refactoring software to meet security requirements can tie up your most senior developers (this is not a junior-level task) for months, delaying work on new projects. According to the State of Software Security v11 (SOSS), applications with a “dodgy security history” are one of the biggest obstacles for developers, slowing down the remediation rate of flaws by about two months each.
Four strategies to reduce security debt and future-proof your digital experiences
Including good security practices early in your software development process can avoid costly refactoring or potentially catastrophic security breaches later in the application’s lifecycle. Application security is a small piece of overall risk, and can be overlooked, especially by less experienced builders.
Making security strategies part of how developers build new products creates more consistency and transparency of software security. Learn how Contentful built a security culture that standardizes the way we operate, improves the way we make security decisions and helps us stay ahead of evolving threats.
Shift left: Don’t make security an afterthought — it needs to be brought in early. Shifting left means getting requirements correct from the start instead of waiting to uncover problems later in the process. More time is spent in the planning stages to avoid redesign and delays later on. Just as a car’s braking system depends on the car’s potential speed, security needs depend on how the software will be used. Developers need to understand what the software will do, who will use it, what problems will it solve or what needs will it address, as well as how it will scale.
Apply the right amount of security at the right time: To avoid spending too much or too little time on security, decide what you need for the specific application or experience you’re building. The level of security a product needs will depend on its intended use and where it is in the product life cycle. A fitness app has different security needs than a banking app. An MVP won’t need the same level of security as the final product.
Keep track of security debt: Incurring security debt for an MVP can be a good strategic decision, but it's critical to keep track of this debt. The State of Software Security v11 report found that the older a flaw was, the less likely it was to be fixed. It’s critical to document security debt and to hold someone accountable — at Contentful, every business feature has a security owner. Understanding when security flaws will pose an unacceptable risk and what time and resources are required to fix them can avoid unexpected delays.
Consider replacing legacy systems: Digital moves fast. The tools that worked in the past can quickly become outdated and place your security supply chain at risk. "The data suggests that teams should consider rearchitecting their applications or retire legacy applications in favor of streamlined code,” states the State of Software Security v11 report. It goes on to note that microservices and API integrations can have a positive effect on security.
Contentful is an API-first content platform that sits at the heart of the modern tech stack. Learn how our commitment to security helps digital teams go to market faster and scale confidently. By choosing trusted partners who take security seriously, you can transfer a number of risks along the security supply chain to ensure that your digital apps and experiences are ready to scale.