Business software handles sensitive information — customer details, financial records, employee data, commercially confidential documents. Security and compliance are not optional extras bolted on at the end; they shape authentication design, data storage, logging, and how changes are authorised. Small Pea Software embeds appropriate controls into the systems we build for organisations operating under Australian regulatory and contractual expectations.
Security as a Design Requirement
Effective security starts with understanding what you are protecting and from whom. An internal staff scheduling tool faces different threats than a client portal storing personal health information. We assess confidentiality, integrity, and availability requirements early and implement controls proportionate to risk — neither negligent gaps nor impractical over-engineering.
Common baseline measures include encrypted transport (HTTPS), hashed password storage, session timeout policies, role-based access control, input validation, protection against cross-site scripting and injection attacks, and regular dependency updates. Additional layers — multi-factor authentication, IP restrictions, encryption at rest, detailed audit logging — apply when your context demands them.
Compliance Considerations
- Privacy Act and APPs — handling personal information with collection notices, access controls, retention limits, and breach response readiness.
- Industry obligations — sector-specific rules affecting how data is stored, accessed, and shared with third parties.
- Contractual requirements — client or partner agreements mandating particular security standards or audit rights.
- Internal policy — your own data classification, acceptable use, and approval workflows reflected in system behaviour.
Security Challenges in Custom Software
Access creep occurs when temporary permissions become permanent and former staff retain logins. We design administration tools that make permission review straightforward and support deactivation workflows tied to HR processes. Audit trails record privileged actions so investigations do not depend on memory.
Third-party components introduce supply chain risk. We monitor dependencies for known vulnerabilities, apply patches through controlled release processes, and minimise the number of external libraries to what is genuinely necessary. Custom code receives review focused on authentication boundaries, authorisation checks, and safe handling of user-supplied input.