There exists a concept called Minimum Viable Product’. The intent is to find the least amount you can do that will be sell-able, and get that done as quickly as you can. The idea is to do what is needed, but not more, so that you can start gaining traction before others do. You later go back and fill in the areas that are not part of that absolute minimum. But what of security? Is there a Minimum Viable Secure Product?
Many would argue that constraints like ‘security’ get cut or ignored here (since the MVP tends to be feature-focused, value-focused). So, a few folks got together and defined what the “Minimum Viable Secure Product” would be.
They define a few categories: Business Controls, Application Design Controls, Application Implementation Controls, Operational Controls. I would spoil the content (check it out here), but a few specific areas warmed my heart:
- Content Security Policy: Set a minimally permissive Content Security Policy
- Single Sign On: Implement single sign-on using modern and industry standard protocols
One thing they missed… They suggest single-sign-on (and you should read this as OpenID Connect), but they allow for password authentication. And, here they miss multi-factor authentication as a requirement. So i’m conflicted. I think the Minimum Viable Secure Product should *not* allow local authentication at all (neither a first or a second factor), relying solely on a shared identity provider. But, if they do allow it, it for sure should require a second factor. Hmm.
Want to know more about Content Security Policy? See my video.