“But security is a knock-out criterion for the acceptance of digital services that handle sensitive data. And as long as this is treated larifari, it won’t work.” - Richard Seidl
I’m currently on flight UAL181 from Frankfurt to Denver to take part in a retreat. And once again I realize how important safety and security are. On my entire route from the hotel via the parking garage, on to the check-in and security check, then to passport and customs control, onto the plane and then all the way back again. Everywhere I go, I am recorded, scanned, tracked, managed, passed on and transported using software. Yes, but I want to be sure that nothing happens to me AND that my data is secure. The airline industry has been in business for a long time. The processes are clear and have been tightened up as a result of various incidents. My trust in safety here is very high to high.
I’m certainly not a safety or security expert, but in my private life I try to use 2FA/MFA, use different passwords, encrypt my data and so on. But I am also someone who sees software and technology as THE tool with which we can build a beautiful future worth living. I want to have all my medical, medication and patient data on a card, on my smartphone or in the cloud. I want to be able to identify myself digitally, not have to carry keys around with me and be able to do all my official business digitally.
BUT: it has to be secure. And when I look at the history of the health card, online forms from the authorities and local authorities in the 90s style and all the different offline payment options that sometimes work and sometimes don’t - I don’t have much confidence in security. My personal zero trust, so to speak.
However, security is a knock-out criterion for the acceptance of digital services that handle sensitive data. And as long as this is treated in a larifari manner, it won’t work.
Well, the ball is in the stakeholders’ court. We need requirements for this! And security tests! But what else can we do?
I think it’s the same here as with software quality in general: there needs to be a basic understanding of security across all project participants. We don’t have to become top security experts in the projects, but a certain amount of knowledge about it is helpful throughout the entire development process.
Relevant literature on IT and software security is a good place to start. But also training courses and certifications such as the A4Q Security Essentials certification, which is aimed at all project participants.
In any case, it is important that security knowledge does not remain insular. Everyone in the project can think about security, whether testers, developers, project managers or requesters. Then it will also work with the acceptance and trust of the users. Probably not tomorrow or the day after tomorrow. But perhaps in a few months’ time.