editione1.0.0
Updated October 9, 2023There isn’t a tool or product on earth that meets every customer’s needs the first time, so you are likely to be iterating quickly to get to the ideal product-market fit. The things we don’t get around to doing on the way, we call technical debt.
As you iterate, your product will grow and become more complex. There will be compromises made and technology decisions that seemed like a good idea at the time.
This can introduce the following security challenges:
Software vulnerabilities. As we have discussed in previous sections, every software and technology can have security flaws and vulnerabilities. The more technologies we use or build, the more chances these will impact the confidentiality, integrity, and availability of our systems.
Architectural and design flaws. The more complex our systems are, the harder it is for us to keep their complexity in our heads. It can become literally too hard to understand, assess, and protect. Finding ways to examine your architecture and designs will be key to managing this risk. There are some amazing books and resources on this subject but you can’t go wrong by starting with Threat Modeling: Designing for Security by Adam Shostack.
Process issues. It’s easy to think that, when you are a product company, the system you develop is the extent of your risk. Sadly, it’s not that simple. Remember that the code we write is only part of the overall system. Our complete system includes all of the non-technical elements and interactions with every human, and other tools and systems, involved in getting it to work. The more complex the process flow and the higher the number of moving parts, the more likely it is that security issues will develop somewhere within it. Document your complete end-to-end processes and systems, and look into tools such as threat modeling to systematically identify risks and potential security issues.
When you started selling to customers close by, it was likely fairly simple, operationally. You understood the operating environment, the people, the laws, and the culture.
If you are a company that has expanded outside of your immediate local area, this certainty in your context will fade. The further you get from home, the harder this gets, and some of the risks introduced are far from your normal world.
This can introduce the following security challenges: