Article: Don't fall into the MVP trap!

Isaac's article on building security into the software development lifecycle was published in August at Software Magazine. My key point is that the market demands of software development encourage leaving security to the end for a variety of reasons:

• Many companies want to validate a market before investing in product security, so the “minimum viable product” (MVP) approach might leave it out.
• The risk of getting attacked is lower at the beginning of a product’s lifecycle, so companies can validate a product by getting market traction even if it has vulnerabilities.
• Ultimately, it comes down to a false assumption that your “minimum viable product” will not attract serious attackers, but this presumes that you do not get traction or media attention, which is a lose-lose proposition—either your MVP is a failure, and so security doesn’t matter, or your MVP is a success and you will get attacked.