Minimum Viable Products: A Cybersecurity risk?
A minimum viable product (MVP) is a software development approach, in which a new software is developed with sufficient features to satisfy new users. The final and complete set of software features is only implemented after considering feedback from the product's early adopters. Releasing MVPs is a useful strategy, especially for early stage organizations who have limited resources. The amount of MVPs on the market, as well as companies utilizing them, is increasing strongly. Since the companies building this software are technology businesses, it is often assumed that information security has been built in. Unfortunately, this is far from true. Most resources are invested in functionality, as this is key to attract users initially. Usually, cyber security aspects are protracted as long as possible, due to limited resources.
No matter how well tested the code is, it is inevitable that MVPs will have bugs and vulnerabilities. Studies show that software averages 17 bugs per 1000 lines of code. Cyber attackers are of course well aware of this fact and are constantly hunting for flawed software. Why? Because many of these companies are partners of large-scale organizations and thus provide them a simple way to pass through their advanced security measures and infiltrate the organizations. Even the smallest bugs leaves room for the attackers to exploit the software.
In the cyber world, serious vulnerabilities which are unknown to the software maker, are referred to as “zero-days”. The term comes from the fact that developers have "zero-days" from the time the weakness was discovered to protect against a potential cyber breach. In some cases, the actual attack itself is the only sign that the security problem exists. These vulnerabilities do not only occur in MVPs, but in more developed software as well.
The trend of exploiting these vulnerabilities is increasing strongly and can be read about in the news on a daily basis. Not only is it lucrative for cybercriminals to exploit the weaknesses by themselves, there are even markets in the dark web to buy and sell information on “zero-day” vulnerabilities. Therefore, this is becoming a major business risk for organizations, as even very advanced firewalls and antivirus applications can often not protect them in this regard.