Ronan and his team recently developed a new solution. This solution went through the pilot phase and now needs to be deployed for large companies. But large companies' expectations are usually higher than those of startups’. So to make it through, let’s see what high expectations entail and how to achieve them.
Today I’m going to answer a question from Ronan, the Product Director of a growing startup in the transport industry. His question is...
Before answering this question, let’s add a bit of context.Ronan and his team recently developed a new solution. This solution went through the pilot phase and now needs to be deployed for large companies. But large companies' expectations are usually higher than those of startups’.So to make it through, let’s see what high expectations entail and how to achieve them.
Reaching high standard means providing the reliability and the security required to protect your customers’ interests.There are literally hundreds of certifications, and you will not need all of them, of course. The good news is that by applying “best practices,” you will become compliant with most of them. But that is going to require some work, for sure.This channel is not called “My CISO Friend” because I’m not a Chief Information Security Officer (CISO). But I can definitely give you a few principles that are worth following, and that will help you live up to large companies’ expectations.
One of the best-known rules is to give every individual access to their own data, with the ability to modify it or delete it. This came up recently with the GDPR (General Data Protection Regulation).
The software quality will always depend on software testing. So having a test process before pushing software in production is a requirement.Theses days, we talk a lot about continuous deployment and continuous integration, which consists of deploying new features of your app after performing automatic tests.That’s great, and I highly recommend this principle. But they are not required to reach a high-quality standard.What is a requirement is to have a well-defined process.
Behind that quality assurance process, there are several recommendations to consider.
Most of the security issues are usually because of bad account management. So when an employee leaves your organization, you should have a script that removes all access they might have.
Another rule is to log everything. Whenever an intrusion has been performed by a hacker, the first thing to do is to analyze what happened, then fix the vulnerabilities, and correct the eventual impact of the intrusion.None of these are possible without logs. If you don’t know what logs are, they’re just simple text files where a new line is added for every request, every change, every connection or event that took place in a software or a server.
Let’s talk about backups now.I recently came across a startup that had to perform a backup restoration. Unfortunately, they realized that the backups were erased every time they loaded a new version. It still worked as a backup for said version; but if you need to restore a previous file and it was deleted two days ago, this type of backups are useless. So, double-check that your backups are stored on a second hosting provider and with multiple versions.
This next one is the most obvious but is still the most important.External connections to your infrastructure should only come from secure connections with multiple authentication layers.
Another good practice after controlling authorized access to your server will be to search for unauthorised access and test your app’s behavior in high trafic. These types of tests are very important and lead the team to improve their development methodologies.
Talking about security brings me to development best practices. Young developers are often the ones responsible for security breaches.To help your team develop a better app, they need to study the OWASP project at owasp.org that will enable them to better understand software security and develop more secure apps.
Once you’ve done everything possible to secure your application, the last thing to do is to put in place a WAF.A web application firewall is like an anti-virus. It will analyze every connection to your app and detect suspicious behavior. If someone tries to send unusual code or log in hundreds of times in a single minute, the WAF will deny any similar connections for a certain amount of time. That will dramatically increase your solution‘s security.
Finally, after building a secure software and infrastructure, setting up backups, etc., you will need a clear procedure to restore your app in the event something happens.If the data center where your infrastructure is runs out of electricity, or if there’s an earthquake or something similar—data centers do their best, but life is unpredictable.That’s why I recommend you to have a backup in a second hosting provider. This way, you can rebuild your entire infrastructure with updated data in the quickest way possible.Here’s where the disaster recovery plan comes to play: it’s THE entire procedure to rebuild everything from scratch, restoring the last application and available synced data.
Now that we’ve covered the main principles to reach a high standard, make sure you look out for the next video where I will go deeper into the process of building the DRP so you can better secure and sell your solution to bigger companies.In the meantime, if like Ronan, you have a specific question for your project, just go ahead and post them on myctofriend.co/ask.I will do my best to answer your question in a video or redirect you to any existing content that will answer it.Also, be sure to go through our other content here at myctofriend.co to learn more from real startup growth experiences and better manage your startup development.I’ll be waiting for your questions, and I look forward to seeing you in other videos.
