Business-focused custom software

“I just want my users to log into my application before using it. Is it really that hard?” my customer asked, frustrated.

Short answer: Yes.

Long answer: It depends.

Look I sympathize. If you think I enjoy all this security stuff, you would be really wrong. Security related issues are NO FUN. No one likes security. Users hate it, so if people have security-related trouble, they think the application is horrible and the programmer is an idiot.

The reason why everyone is frustrated is obvious. Software security is intended to prevent unauthorized users from accessing the application. But users want to access the system. So right away the relationship between the end user and the application is in conflict. Not a good way to start things out.

And as I’ve mentioned before: nothing is simple. Let’s say you just want to restrict access to the system via a simple password, and that all your employees will have the same password.

Great! What happens when an employee is fired?

I guess we should change the password. But how do you notify everyone that the password has changed?

You could email it, but that isn’t very secure.

I guess you can call everyone and tell them. Then again, saying the password out loud isn’t very secure, either.

If your employees are in the office, you can put it on post-in notes on everyone’s computer. Uh, wait…

Perhaps it doesn’t matter. You might never fire an employee. Or perhaps users can’t change data in the application anyway.

But that’s why we have to ask a lot of questions, to weed through the details and make sure we completely understand your security needs. Questions like:

• How many users will you have?
• Will they all have access to doing the same things in the application?
• Will they all have access to the same records (customers, orders, etc.) in the application?
• Do the access needs of users change, due to changes in their jobs or other reasons?
• Are there laws that govern how you must deal with this information (like data privacy regulations)?
• What are the consequences if someone stole your database? Could you be sued? Would your business be destroyed?

These are only a smattering of the questions that come to mind when thinking about security.

I know it is a pain to answer all these questions. I know it is tiresome and no fun. Trust me. It is important. You’ll thank me later.