App Development Companies are Emphasizing Security in Their AMC Contracts | Puneet Miglani (Founder, Candor)
In this SaaSTrana podcast session, Puneet Miglani (Founder – Candor Technology) discusses how app development companies emphasize security in their AMC contracts with Venky.
Candor’s Journey- Digital Marketing to IT Solutions
Can you tell us a little bit about Candor?
We started in 2011 in Dubai as a digital marketing and development agency. And since then, we have come a long way. We are data-driven, and we use information to guide our customers in communicating their products and services to their customers in an effective way.
When we first started, our customers and business partners were instrumental in our growth into the IT solutions and services company we are today. And today we provide a much wider range of services. We started 11 years ago. Our focus has been to grow organically, an ethos we continue to follow today.
And we recently opened our operations in Canada, and we look forward to growing there in an organic way.
How did you decide to emphasize application security, particularly vulnerability assessment and integration testing, a key aspect of your offering?
I will walk you through the journey of 11 years to know how we’ve evolved. So, during the first few years, our focus was on providing excellent service, which is important to our customers, building a strong internal team who are knowledgeable individuals, and industry partners, which are very important for any growing business.
Our customers’ expectations are very high. And as they have evolved, so have we, and the offerings we provide as well. Because of our customers’ confidence in all these solutions we have delivered over the last few years, it keeps increasing
I still remember when we started; we did websites, mobile applications, and e-commerce portals. Today we do far more than those. So, at the end of the day, we pivoted, as our clients requested, and there we won a few key projects, which has helped us evolve.
So, to put things into perspective, the first three or four years were more on the development side, where clients wanted us to do development work. And then, eventually, we started seeing AMC contracts come in better. It was also about ensuring that the projects were maintained correctly.
And then, as the importance of security increased, the VAPT aspect also started getting added to our AMC products. So today, we are a fully-fledged IT services and solutions firm that caters to a broad range of customers, from startups to SMEs to enterprise-level customers.
So it has been quite an enjoyable journey for us during those 11 years of our growth.
Did you proactively identify the opportunity to offer application security, or did customer demand inspire you to make it a part of your business model?
Well, I would say it’s a combination of both.
As I said initially, we were doing design and development, mobile applications, and e-commerce portals.
And as the industry has been evolving and vulnerabilities are coming up, teams understand its importance. Most likely, most clients were initially unaware of the importance of security. And then we have been pushing this thing.
While we have multiple solutions out there, you have open-source solutions. Open source is cheap, easy, and quick to deploy. However, it comes with its share of vulnerabilities that we need to address. At that time came in from our side, we said, “hey, this is an opportunity; VAPT is something that we need to add as part of our offering.”
So eventually, it grew and became a combination of both. Customers today understand the importance of security. And it has become a very important layer in anything we start rolling out. So, it’s not only design and development; security too plays a very important role.
Customers are maintaining security to ensure that vulnerabilities are not there. But there is no guarantee that you will not be attacked. How you protect your business and move on from that is what we need to work towards. The market is surely maturing to that, and it’s becoming much easier for us to give this value to our customers.
Risk Mitigation and Building Resiliency
We can never have a zero-risk offering. Focusing on risk mitigation and building the capacity to handle future risks is more valuable. Right?
Absolutely. And I think that is what our focus has been. That’s where we are now looking at how WAF solutions can be added to the implementations. Our responsibility is not only to be the development team but also end-to-end.
We look at it in brief briefly: your end goal, how you get there, and what role security will play: your end goal, how you get there, and what role security will play in it. I think that’s the journey that we are on now.
What are some early results of incorporating security into your overall end-to-end offering for digital development, specifically web and mobile development?
When we went back to our customers and said,
“Hey, you need to focus on vulnerabilities in your current applications.”
Most of them were oblivious to the fact that they were so secure. They were confident that their applications were very secure.
I said, “Okay, can we do a run test?”
And some of the results were shocking. And then, they understood that having the SSL certificate no longer cut it anymore. So, much more must be done on the application and database levels.
From that point in time, from having a little knowledge, customers now progressively look at how security needs to be built in.
I still remember, I think, a couple of weeks ago, I had a meeting for a new project. We had a separate meeting for design, a separate meeting for development, and a separate meeting purely from a security play standpoint.
So that was refreshing. And as I said, yes. So now we’re getting there, so the board is being pushed from a security point of view, and the clients are serious about it. That is also very important.
Expertise Required in an AppSec Partner
What are the specific areas of expertise you seek in an AppSec partner regarding security and application security?
- VAPT is a very technical field, and it’s not that anyone can start doing it. It’s a specialized field, and a lot of experience is required in it. And obviously, we look at industry leaders who are doing that.
- From a product point of view, the product quality, functionality, and expertise of the team behind the product are very important to us.
- You also need to look at customer support. When something goes wrong, is there someone to help me? Because we’re talking about vulnerabilities. If my client’s business is affected by a security breach, how will my product team help me out here?
- The development lifecycle of the product is also very important. As security is not a standing thing; it’s a moving goalpost
- The cost of the product is also important, as no business can say, okay, here’s a $1,000,000 cheque, and you go and implement security for us. As I said, we’d cater to startups and SMEs and enterprise-level, so it has to cater to all of them.
These would be the key variables that I would look at as a business to see whom I partner with to bring on board and make this an offering to our customers.
What would you advise youngsters in web application development/design?
I would say follow the KISS policy. That’s what I do.
Keep It Simple, Stupid, and then expand from there.
Earlier, we are an industry that is constantly evolving. There is change every day, every other day. You cannot master everything in one day. But when you follow the KISS policy, you can learn something new every other day and keep learning and advancing. And then, one needs to adapt to the circumstances and how things are pivoting around them.
Sometimes, even slowing down is also very important. Looking at the tide too closely does not help at times. Take a step back and constantly readjust.
Have a positive attitude.
It’s always going to be a long way ahead and enjoy.
Yeah, it is simple, indeed. And the complex thing is trying to keep it simple!
To know more, listen to the podcast here.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.