How to talk to your developer about security

Illustration of woman on a video call with a question speech bubble

How to talk to your developer about security

Illustration of woman on a video call with a question speech bubble

How to talk to your developer about security

Illustration of woman on a video call with a question speech bubble

Maintaining clear communication around web security is key to keeping your business and customer data safe. Let’s explore some guidelines for fostering an open, communicative relationship with your developer around security.

It's a shared responsibility

Web security is a shared responsibility between you, as the client, and your developers. While it might be tempting to think of security as "somebody else's problem," particularly when you've outsourced IT or development work, the truth is that you play a crucial role.

You're typically the Data Controller, meaning you're responsible for ensuring the safety of your business and customer data. Developers, acting as Data Processors, follow your instructions on handling this data.

Don't feel intimidated

If you're not a technical expert, discussing security may seem daunting. However, remember that your developer is there to help bridge the gap. It's their job to explain things in a way you can understand and to ensure you feel confident about the security measures in place. Ask questions, seek clarification, and lean on their expertise to guide you through the process.

Key areas to discuss

Security responsibilities

Clarify what security measures your development team is responsible for and what you'll manage. Ensure both parties understand their roles and responsibilities to avoid gaps in security.

Common threats

Discuss potential security threats like SQL injections, cross-site scripting, and insecure authentication. Ensure your developer is prepared to address these vulnerabilities. Ask how they’ve handled similar risks in previous projects.

Regular updates and patching

Ensure your developer is committed to regularly updating software and applying security patches. Check the end-of-life dates for software versions to ensure ongoing support.

Supply chain risks

Talk about how your developer manages risks associated with any third-party providers or subcontractors. A compromised supplier can become a vulnerability.

Security certifications

Ask if your developer has security certifications like Cyber Essentials or Cyber Essentials Plus. These demonstrate a commitment to following best practices.

Illustration of male revichecking compliance of clod software. There is a giant password protected cloud next to them
Illustration of male revichecking compliance of clod software. There is a giant password protected cloud next to them
Illustration of male revichecking compliance of clod software. There is a giant password protected cloud next to them

Example questions to ask

What are the top security risks for my specific website or application?

What are the top security risks for my specific website or application?

What are the top security risks for my specific website or application?

Do you have any security certifications like Cyber Essentials or Cyber Essentials Plus?

Do you have any security certifications like Cyber Essentials or Cyber Essentials Plus?

Do you have any security certifications like Cyber Essentials or Cyber Essentials Plus?

How can I get an overview of my website infrastructure and code?

How can I get an overview of my website infrastructure and code?

How can I get an overview of my website infrastructure and code?

What dependencies does my website or application have, and when is its End of Life?

What dependencies does my website or application have, and when is its End of Life?

What dependencies does my website or application have, and when is its End of Life?

Do we have a data processing agreement in place?

Do we have a data processing agreement in place?

Do we have a data processing agreement in place?

What is the plan for responding to a security incident or data breach?

What is the plan for responding to a security incident or data breach?

What is the plan for responding to a security incident or data breach?

How do you mitigate risks from your own suppliers or supply chain?

How do you mitigate risks from your own suppliers or supply chain?

How do you mitigate risks from your own suppliers or supply chain?

Put it in writing

While verbal agreements with your developer can help clarify expectations, it's crucial to back them up with a formal contract. A written agreement ensures that both parties have a clear understanding of their roles and responsibilities, especially when it comes to security measures. This contract should outline specific security protocols, timelines for updates, and procedures for handling potential breaches.

Having everything in writing not only provides legal protection but also helps prevent misunderstandings down the line. It serves as a reliable reference point for both you and your developer, ensuring that your business's security needs are consistently met.

In conclusion

By fostering open conversations and robust agreements about security with your developer, you position yourself to better understand and mitigate risks. Taking a proactive approach, rather than pointing fingers, ensures that your systems remain secure and your data protected. As the Scouts say, always be prepared!

Yellow background with wavy top

Articles, tips and knowledge delivered straight to your inbox

Yellow background with wavy top

Articles, tips and knowledge delivered straight to your inbox

Yellow background with wavy top

Articles, tips and knowledge delivered straight to your inbox