Building For a More Secure Future: How Developers Can Prioritize Cybersecurity

By Jeremy Butteriss, EGM Ecosystem and Partnerships, Xero

An iconic moment in the rise of ecosystems was Steve Ballmer on stage saying ‘developers, developers, developers’ at the 1999 Microsoft .NET presentation. At the time, he was breaking new ground, repeating those words to help convince his teams on how crucial developers were going to be to the success of their platform. And then of course in 2008, Steve Jobs launched the iPhone and the App Store – a point in time that arguably changed the world and led to a massive rise of new developers. Both of those moments signaled the arrival of tech platforms, and solidified the important role a burgeoning developer industry would have in making them a success.

Today, it’s hard to imagine a world without developers, and the platforms and ecosystems they operate in. While the focus may have been initially on enterprise B2B platforms with Microsoft, and then B2C with the Apple App Store, platforms have become much more ubiquitous and broad in their scope. Vertical platforms in industries such as hospitality, construction and ecommerce; horizontal platforms in areas such as financial services and CRM; and even platforms for platforms. These have become business operating systems of sorts for their customers. They create a massive amount of opportunity for developers, by reducing barriers to entry and providing access to large pools of customers. In turn, developers enable these platforms to offer a broad array of complementary services, increase average revenue per user (ARPU) and drive more customer retention.

The rise of digitalization

Cloud platforms and ecosystems are part of an increasingly connected globe driven by the proliferation of technology. Many countries and governments are recognizing this and are accelerating the digitalization of their economies as quickly as possible. This shift means more opportunities for platforms and developers alike, especially as new markets open up. However, it also means greater demands stemming from increased regulation, competition and cybersecurity risks.

As part of this digitalization shift, more and more business and transaction data is moving online, exposing the data to a greater risk of cybersecurity-related issues – especially as malicious actors are getting more sophisticated and using AI. Smaller organizations are especially vulnerable and often don’t have the resources or expertise to invest in and maintain their own cybersecurity. Developers are recognizing this too: a recent survey published by small business cloud-accounting platform, Xero, shows more than half (56%) said data privacy and security are top of mind, and that 15% reported having faced cybersecurity challenges in the 12 months prior.  As cybersecurity incidents rise, it’s clear more developers are focused on data security and protecting customer data appropriately.

Government and financial institutions are responding by introducing new regulatory and policy requirements that help protect consumers and businesses. Additionally, platforms themselves are also setting their own policies on key topics like responsible data use and API security standards. These policies set the expectation of how the platforms will operate internally and externally, and by extension any third-parties that they connect with – including developers.

For those looking to take advantage of the digitalization wave, navigating the additional cybersecurity, regulatory and platform requirements can be burdensome – especially for those looking to scale quickly. While cloud platforms are applying some of their own standards and policies, they also carry the distinct advantage of scale and resources. They can not only invest in security and keep up with regulatory changes, but can also provide additional paths to market and access to technology at a lower cost and with greater reliability. Developers seeking to build solutions that help businesses run their operations and handle their financial information can leverage the scalable and secure environments that platforms provide. Regulatory standards and cybersecurity features can be developed into apps and solutions from the ground up, providing assurance to end-users.

Building to enable building.

For some smaller developers the combination of both internal and external standards can be an extra burden and a barrier to entry. Whether it be a platform policy decision to migrate an ecosystem from OAuth 1.0 to OAuth 2.0, or increasing regulatory requirements for multi-factor authentication (MFA), the increased compliance workload pulls valuable time away from building a product. Increasingly, platforms have recognized this burden and are investing in building out-of-the-box tools required to reduce the load. Underpinning this is extensive documentation, education and support for developers who need help or are interested in taking a deeper dive.

An example is the large range of identity tools for user access and credentials that make signing-up and signing-into apps easier for customers, like Single-Sign On using Xero, Okta or Google. Developers can leverage existing customer details within the security of the platform as part of their onboarding and login flow. Additionally, some platforms have already established complementary MFA tools as part of their login flow. This is especially useful for developers wanting to add additional security protocols for their product, or those operating or wanting to operate in countries like Australia where MFA is mandatory for digital service providers. Research from Verizon shows that MFA can prevent up to 80% of data breaches making it one of the most effective methods to protect customer data, especially if their credentials are compromised.

Point-of-sale and payments platforms like Square, Stripe and Shopify all offer secure and easily integrated checkout and payments solutions so developers don’t need to build their own. This helps avoid the increased compliance, risk and security burdens that come with directly managing payments – a highly regulated global industry.

Platforms also constantly monitor the operation and security of their APIs with dedicated teams and tools. Issues or unusual behavior, such as  sudden spikes in request volumes or webhooks errors, can be immediately flagged for investigation, enabling the platforms to move quickly in response and notify developers. Where there may be a product or feature slowness or outage, this also helps both parties manage the customer experience for end-users with status updates or a quick resolution.
Reducing burden and barriers to entry for developers encourages innovation and experimentation in a platform. With developers being supported by cybersecurity features at the platform level, their time is freed up to focus on doing what they do best – solving problems and innovating. This ultimately benefits end-user customers who can use the platform and choose associated integrations with greater confidence.

Time to focus on the basics

Developers and end-users both benefit from the work that cloud platforms do in cybersecurity. By prioritizing identifying and working with platforms that provide a secure environment, developers are prioritizing the safety of the data of both parties. They’re also freeing up resources to spend on building out their products and solutions, enabling time to be spent on developing features that customers want.

But even with platforms taking a lot of the security burden off of developers, it’s not permission to be idle when creating solutions. There are many other basic security practices and processes that should underpin the work developers and platforms do, to build additional layers of security when creating apps and integrations:

• Encryption – employing encryption across systems and databases may sound obvious, but its additional base-level protection of data complements what platforms offer. AWS, Azure, or Google Cloud Platform provide in-built encryption tools and mechanisms that are often an easy way to apply encryption safely. However, applying encryption isn’t always a simple process. At Xero, we see developers constantly juggling all of the considerations including which algorithms to use and generating and securing unique keys.
• Vulnerability management using industry accepted guidance for secure code development, such as OWASP Top 10, and ensuring secure communication between an app and authorization servers using HTTPS or similar secure protocol to prevent unauthorized access and eavesdropping.
• Constant vigilance around security and encryption. The landscape is constantly changing, with new standards and tools available, to counter emerging threats. Integrating with platforms helps manage this, but it’s not a ‘one and done’ solution. Security monitoring practices, breach reporting provided by platforms helps to detect and manage threats before it’s too late. Backing this up with appropriate audit logging at both application level and event-based actions can make it easy to identify and track unusual activity quickly.
• Data hosting and third-party risk assessments. We’ve seen multiple times over recent years that even when doing everything correctly, data can still be compromised through other tools or platforms that you integrate with. Developers are having to consider a large number of variables when making these decisions, including country, legal, contractual, access, sovereignty and counterparty risks. Ideally, client data is not hosted in high risk areas, where it could be seized, compromised or made unavailable for access.

Security and opportunity

Small businesses are a significant and often underestimated driver of the global economy and are one of the most at-risk when it comes to cybersecurity. The digitalization of this sector presents a major opportunity for platforms and developers to provide solutions that help small businesses thrive in a secure way. Taking advantage of the security investment, resources and scale of platforms, like Xero, means that as this digital transition occurs, developers can focus on creating the apps and integrations that make it as smooth as possible. Consumer and business data privacy and security are a top priority when handling the information of this major but vulnerable part of the global economy. To deliver on this requires constant effort from all parties, including developers, cybersecurity and IT professionals, end-users, and the platforms they use.

All in all, living in an innovation-driven world is quite exciting – however, as the old tale goes, with great power comes more responsibility. Whether it be for business or consumer use cases, app developers and cybersecurity professionals need to operate on synergistic levels to uphold the safest options for clients.

About the Author

Jeremy Butteriss and I am the Executive General Manager of Ecosystem and Partnerships at small business accounting platform, Xero. I’m responsible for improving Xero’s platform via enhancing US partnerships, integrating software and helping customers and partners discover new solutions.

Jeremy can be found on LinkedIn:

https://www.linkedin.com/in/jbutteriss/?originalSubdomain=ca.