“Minimum Viable” MUST Include Security

If you’re a startup trying to get a product off the ground, you’ve probably been told to build an “MVP” – a minimum viable product – as promoted by the Lean Startup methodology. This translates into products being rapidly developed with the least number of features necessary to make an initial sale or two. Oftentimes, security is not one of the features that makes it into the product, and then it gets quickly forgotten about down the road.

It’s time we change this broken model. It shouldn’t be an “MVP” – it should be an “MVSP” – a minimum viable SECURE product. In fact, let’s start that trend right now. Any time you hear “MVP” related to product development, please correct them to say “MVSP” and then, if necessary explain why that’s the case.

Along these same lines, we also need to embed in our culture and vernacular the fact that “nothing is secure by default unless you have explicitly made it secure by default.” This statement applies to products, passwords, configurations, etc. We seem to be stuck in this grand cyclical rut wherein everything new that’s developed goes back to square zero on security, which is not only tragic, it’s really quick painfully stupid after 2+ decades of online development.

Key takeaways:

  1. Every time you hear “MVP” (relative to prod dev), correct the person to say “MVSP” and then explain why security must be a core feature.
  2. Nothing is “secure by default” unless you have explicitly made it secure by default.
  3. It’s everyone’s shared responsibility to ensure products are reasonably secure, from concept to 1.0 and beyond.
By | 2017-01-18T21:53:17+00:00 January 18th, 2017|Blog|

About the Author:

Ben Tomhave is a security architect with New Context, a lean security firm. He holds a Master of Science in Engineering Management from The George Washington University and is a CISSP. He has previously held positions with Gartner, AOL, Wells Fargo, ICSA Labs, LockPath, and Ernst & Young. He is former co-chair of the American Bar Association Information Security Committee, a senior member of ISSA, former board member at large for the Society of Information Risk Analysts, and former board member for the OWASP NoVA chapter. He is a published author and an experienced public speaker, including speaking engagements with the RSA Conference, MISTI, ISSA, Secure360, RVAsec and RMISC, as well as Gartner events.