Best practices for Singapore software firms eyeing a global market

Bright sparks venturing abroad need to be forearmed with software development's cardinal rules.

SOFTWARE is big business. Just look at the meteoric rises of Google, Facebook, Uber, Amazon and countless others. In Singapore, the software business is prominent , but still in its infancy. Despite this fact, entrepreneurs should consider and invest in a global strategy. After all, the Smart Nation initiative sees software, IoT, cybersecurity, and electronic payments coming to the forefront of the national economy soon.

Beyond our shores, the competition is intense. Software development cycles are often compressed, with companies pushing to roll out solutions to address market opportunities. In the software arena, companies such as Alipay have more than tens of thousands of developers pushing out software updates fairly often. Tencent, another Chinese giant, is the world's largest game developer and sends out fixes and security patches daily.

Singaporean software companies struggle to compete, in terms of manpower, with countries such as China. However, for Singapore SMEs venturing overseas, a clear understanding of the competition and challenges that they will be facing is pertinent, and the preparation put in place prior to expansion will determine the success of the company.

The implementation of software development best practices results in applications with integrity that achieve a balance of function, ease-of-use, reliability and economy. The quality in design means more than merely stuffing functionality or features into a software, but ensures the integrity or fitness of the function. A software that is well-written is better protected from vulnerabilities or hazards. Ultimately, a software company's reputation depends on the fitness of its software. In other words, a good software reflects well on the company and, ultimately, on the country.

Singaporean software businesses need to be nimble and stay a step ahead of the challenge. While there might be constraints on manpower resources, pre-planning and best practices can help them rise above the challenges. Whether it is a gaming software company, an IoT device, an enterprise software, or mobile applications, the approach of building a secure, quality-driven software is the same:

Plan

Always start with a strong plan. A good beginning is half the battle. During the planning stage, work with all stakeholders to determine the application characteristics (such as a banking app that should allow wire transfers). The characteristics should cater to functional and commercial needs, as well as regulatory compliance. If users demand security, such as a financial or transactional application, ensure that security requirements are testable, unambiguous, measurable, complete and consistent.

Design

Statistically, 50 per cent of the software defects that cause security or other problems happen during the design phase. Make good, high-level design choices as well as simulations and modelling to address any possible vulnerabilities. Ask developers questions such as who will use the app? How will they use it? What will be the input and output from the app?

The design needs to cater to the exact needs of the users regarding usability and security. You may hear two acronyms, UX - user experience, and UI - user interface. The app should be easy to learn and use (with a good UI), and the overall experience should be productive and pleasant (a good UX).

Implement

Next, developers need to complete the application per established specifications, and should use secure coding guideline checklists to check each actionable item. Businesses can conduct automated code reviews with static analysis application security testing to verify if security mistakes were made, akin to the spellchecker in writing software that red-flags spelling errors.

Verify

While a good practice is to design quality and security into every step of the software development, invariably software is still written by humans and there may still be bugs. When the team has completed the app, test it internally to detect any residual bugs and vulnerabilities. Use various industry tried-and-tested techniques, such as penetration testing (or "pen testing").

Since most apps are not silo offline apps, but are connected apps that connect to servers and other computers through WiFi or 3G/LTE, test the pathways to and from the app to ensure that it works as intended, and will not have vulnerabilities or failures when talking to remote devices (such as the cloud, social networks, or other users' devices).

Release

After what could be months or years of software development, the launch date arrives. Some companies release their apps as "beta" software, so that there is a perceptual buffer between having the users test the app with constructive feedback in comparison to launching it to the market. Depending on the market segment, critical apps sucjh as financial services ones will see more scrutiny than those designed for entertainment.

Response

As an additional measure, businesses can perform a "red team assessment" on the apps. A red team is an external unbiased expert team that can help identify potential points of failure and vulnerabilities that internal teams may have missed. Tests from the red team can also show how real-world adversaries may attack an app and its ecosystem, and a business can address the issues before launching the application.

While the competitive landscape may be fearsome, Singaporean software businesses can compete effectively, as long as they go the extra mile of ensuring their software conforms to best practices of a software development. Be nimble, look global. In due course, we will see the birth of many billion-dollar software giants on our own shores.

  • The writer is managing director, Software Integrity Group, Asia Pacific, Synopsys