FP Complete

Modern server side software faces numerous security challenges from countless directions. Unfortunately, it often takes just one chink in the armor to infiltrate an otherwise secure system, potentially creating massive damage. At FP Complete, we believe security must be an integral part of all activities around software: requirements, project planning, architecture, development, quality assurance, deployment, and operations. We’ve worked with dozens of companies to help them strengthen their server and cloud based systems. To help you understand some of the surprising directions that socurity problems – and solutions – can come from, here are some key recommendations. While you take security seriously, you cannat afford dedicate all your best staff to reinventing the wheel. But you also can’t wait to act until after a security breach happens. We’re here to help your team, working remotely to add our capacity and expertise to your own. For help planning and implementing some cost-effective, timely improvements to your security in all these areas, or just to discuss what may be possible and get some feedback from our technical team, please contact our team. We’ve discovered many surprising, high-impact places where security can be added to – or missing from – an information system. Every one of these is actionable, and you don’t have to wait for a grand plan to start making measurable impacts.

Requirements

Security is a broad, encompassing term. One person on a team may think of security as “make sure only licensed individuals are able to use our software.” Another may think “ensure no user can read another user’s data.” And a third may interpret it as “don’t let users upload viruses that will infect our servers.” These are all valid security concerns, along with ensuring only authorized users access machines, preventing common web exploits in software, preventing social engineering attacks, and much many more. During the requirements phase of a project, it is vital to consider as many of the security requirements as possible, and ensure the team leads are all in sync on them. And this list of security requirements should regularly be reviewed as needs change, products develop, and new threats come to light. Implementation teams will generally omit or short-cut work items that are not part of the spec. Unfortunately half-done security is like locking one door while leaving the other wide open. We recommend gathering best-practices lists of security requirements, and incorporating them into your project specs, typically in the test plans and acceptance criteria. Working for dozens of companies’ project teams, we’ve been able to learn some trends and patterns. We’ve seen that a large portion of project success is determined by the thoughtfulness of the up-front discussions. If team members aren’t aligned on the security goals and requirements, sort this out up front – not after new technology has been chosen and implemented.

Project planning

When planning a project, most teams know to estimate and schedule time for basic feature development. Well-planned teams will also include budget for debugging, quality assurance, documentation, and project management. However, security is often missing. Many assume this is part and parcel of other activities. After all: developers should be coding with security in mind. The quality team should be exploring potential security vulnerabilities. A typical IT project should plan to spend 5 to 15 percent of its total budget on issues relating to security. If your plans look much skimpier than this, it’s time to get much stronger about your plans. Don’t let security remain undone in the interest of a faster (but totally unsafe) outcome. Skilled and experienced software and quality engineers will often plan for security without being asked. But there are three things to keep in mind:

Subscribe to our blog via email

Email subscriptions come from our Atom feed and are handled by Blogtrottr. You will only receive notifications of blog posts, and can unsubscribe any time.