If you’re a startup trying to get a product off the ground, you’ve probably been told to build an “MVP” – a minimum viable product – as promoted by the Lean Startup methodology. This translates into products being rapidly developed with the least number of features necessary to make an initial sale or two. Oftentimes, security is not one of the features that makes it into the product, and then it gets quickly forgotten about down the road.
It’s time we change this broken model. It shouldn’t be an “MVP” – it should be an “MVSP” – a minimum viable SECURE product. In fact, let’s start that trend right now. Any time you hear “MVP” related to product development, please correct them to say “MVSP” and then, if necessary explain why that’s the case.
Along these same lines, we also need to embed in our culture and vernacular the fact that “nothing is secure by default unless you have explicitly made it secure by default.” This statement applies to products, passwords, configurations, etc. We seem to be stuck in this grand cyclical rut wherein everything new that’s developed goes back to square zero on security, which is not only tragic, it’s really quick painfully stupid after 2+ decades of online development.
- Every time you hear “MVP” (relative to prod dev), correct the person to say “MVSP” and then explain why security must be a core feature.
- Nothing is “secure by default” unless you have explicitly made it secure by default.
- It’s everyone’s shared responsibility to ensure products are reasonably secure, from concept to 1.0 and beyond.