A New Year and a new online security scandal – this time involving purveyors of customised greetings cards and irritating advertising jingles, Moonpig.com. Well, I say “new online security scandal” – apparently this one has been around since August 2013 and involves an insecure API which allows just about anyone to post orders on behalf of just about anyone else, gather customer data, write their own irritating jingles…

Roundly described by those who know as “amateur hour” activity, it’s got me thinking about how widespread these kind of flaws might be in reasonably-sized internet businesses. There are two forces to look at…

The first is the concept of the Minimum Viable Product, or MVP. MVP is a confection from the cult that is Lean Startup, a methodology for running a tech startup business that seems to have become gospel in many circles. MVP says don’t focus on thinking about what your product should be, just get it out there as quickly as you possibly can, and iterate it frequently. The key is that it should the the minimum viable working product that ships every time.

In MVP world, where does good security fit? In the time-boxed world of Lean Startup, does putting good levels of security in place rate as highly as delivering a piece of user functionality? Of course it should, but in the hard light of half past one in the morning, racing to hit another deadline to keep investors onside, will invisible stuff like good security fall by the wayside?

And if it does, when will it ever get fixed? That then brings us on to the concept of technical debt. The longer you leave it, the worse “stuff that we’ll fix later” gets. The more expensive it becomes to fix. The harder it becomes to fix. The bigger the elephant in the room… And the more likely it will take some massive cock-up for anything to happen, by which time it will be either cure or kill. Let’s be frank, Microsoft went through the very same cycle 13 years ago resulting in their “Trustworthy Computing” initiative.

The cost barriers to entry for building massively-scaled internet services these days are lower than ever. And because the costs are low the knowledge barriers are lower too – if you’re not having to invest big cash up front, you’re less likely to bring in serious expertise to mitigate risks on that investment. Knowledge of things like how to build secure systems might not even be in the vocabulary of people able to and building the systems. And if the topics aren’t known about, let alone the knowledge to implement them, businesses may go a long way down the road before wake-up calls like the one Moonpig are having can come to light.

One thought on “Technical debt, MVPs and an irritating jingle

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.