Hacker News new | ask | show | jobs
by allendoerfer 4068 days ago
MVP stands for minimum viable product. It really is about focusing on the features users need the most. It is not about shipping crap. Eric Ries has stated just two weeks ago on HN [0], that this is a common misunderstanding.

Security is a non-functional requirement [1], not a feature. It is not something you can prioritize on or not. Fortunately getting the basics right on the application level is not that hard, there are already many useful tips in this thread.

[0]: https://news.ycombinator.com/item?id=9369642

[1]: http://en.wikipedia.org/wiki/Non-functional_requirement
1 comments
josephkern 4068 days ago
This is a really interesting argument, I had it in my head to disprove your thesis. But the more I thought about it the more I agree with you.

I feel somehow though that the line between functional and non-functional requirements are not as well defined when dealing with user data. There is an expectation (even if unrealistic) that the confidentiality, availability, and integrity of the user data will be preserved. Twitter though can serve as a counterpoint to part of this argument (availability).

Are there examples of a successful MVPs that dealt with user data and failed the confidentiality or integrity requirements?

link
allendoerfer 4068 days ago
>Are there examples of a successful MVPs that dealt with user data and failed the confidentiality or integrity requirements?

I think there are many examples of successful products that had and/or have security issues. Think of all those apps that transfered user data over insecure connections.

The problem with those non-functional requirements is, that they are not all equally important and their importance varies from product to product. They are often ill-defined and hard to fully formalize. Nevertheless I think there are obvious "industry standards" (Update your stuff, encrypt at least connections).

Programmers and managers are people and mistakes happen, but just ignoring security altogether is negligent and one should be held accountable in the case of damages. Stuff like Sonys ten year old Apache getting hacked simply must not happen.

The federal privacy laws in Germany are quite good in that area [0]. It is explained well how you have to handle other people's data:

  Where personal data are processed or used automatically, the internal
  organization of authorities or enterprises is to be arranged in such a 
  way that it meets the specific requirements of data protection. In
  particular, measures suited to the type of personal data or data 
  categories to be protected shall be taken,
    
  1.  to prevent unauthorized persons from gaining access to data 
  processing systems with which personal data are processed or used 
  (access control),
  
  2.  to prevent data processing systems from being used without 
  authorization (access control),
  
  3.  to ensure that persons entitled to use a data processing system 
  have access only to the data to which they have a right of access, and
  that personal data cannot be read, copied, modified or removed without
  authorization in the course of processing or use and after storage 
  (access control),
  
  4.  to ensure that personal data cannot be read, copied, modified or 
  removed without authorization during electronic transmission or 
  transport, and that it is possible to check and establish to which
  bodies the transfer of personal data by means of data transmission 
  facilities is envisaged (transmission control),

  5.  to ensure that it is possible to check and establish whether and by
  whom personal data have been input into data processing systems,
  modified or removed (input control),
  
  6.  to ensure that, in the case of commissioned processing of personal
  data, the data are processed strictly in accordance with the 
  instructions of the principal (job control),
  
  7.  to ensure that personal data are protected from accidental 
  destruction or loss (availability control),

  8.  to ensure that data collected for different purposes can be 
  processed separately.

  One measure in accordance with the second sentence Nos. 2 to 4 is in 
  particular the use of the latest encryption procedures.
Unfortunately I can not find the corresponding paragraph in the part where the punishments are listed. Of course, someone has to drag you to court anyway before anything happens and unfortunately:

  Such offenses shall be prosecuted only if a complaint is filed.
  Complaints may be filed by the data subject, the Federal Commissioner 
  for Data Protection and Freedom of Information and the supervisory 
  authority.
How is it handled in the US?

[0]: http://www.gesetze-im-internet.de/englisch_bdsg/englisch_bds...

link