Security & Compliance

Business software handles sensitive information — customer details, financial records, employee data, commercially confidential documents. Security and compliance are not optional extras bolted on at the end; they shape authentication design, data storage, logging, and how changes are authorised. Small Pea Software embeds appropriate controls into the systems we build for organisations operating under Australian regulatory and contractual expectations.

Security as a Design Requirement

Effective security starts with understanding what you are protecting and from whom. An internal staff scheduling tool faces different threats than a client portal storing personal health information. We assess confidentiality, integrity, and availability requirements early and implement controls proportionate to risk — neither negligent gaps nor impractical over-engineering.

Common baseline measures include encrypted transport (HTTPS), hashed password storage, session timeout policies, role-based access control, input validation, protection against cross-site scripting and injection attacks, and regular dependency updates. Additional layers — multi-factor authentication, IP restrictions, encryption at rest, detailed audit logging — apply when your context demands them.

Compliance Considerations

  • Privacy Act and APPs — handling personal information with collection notices, access controls, retention limits, and breach response readiness.
  • Industry obligations — sector-specific rules affecting how data is stored, accessed, and shared with third parties.
  • Contractual requirements — client or partner agreements mandating particular security standards or audit rights.
  • Internal policy — your own data classification, acceptable use, and approval workflows reflected in system behaviour.

Security Challenges in Custom Software

Access creep occurs when temporary permissions become permanent and former staff retain logins. We design administration tools that make permission review straightforward and support deactivation workflows tied to HR processes. Audit trails record privileged actions so investigations do not depend on memory.

Third-party components introduce supply chain risk. We monitor dependencies for known vulnerabilities, apply patches through controlled release processes, and minimise the number of external libraries to what is genuinely necessary. Custom code receives review focused on authentication boundaries, authorisation checks, and safe handling of user-supplied input.

Our Approach to Secure Delivery

Security requirements are captured during discovery alongside functional requirements — not discovered as blockers during pre-launch review. We document who may access each function, what data each role sees, and how sensitive fields are protected at rest and in transit.

Testing includes negative cases: attempts to access records without permission, manipulation of hidden form fields, expired session behaviour, and API calls without valid credentials. Automated scans supplement manual review but do not replace thoughtful analysis of business logic flaws — the places generic tools often miss.

We prepare operational guidance for your team: password policy recommendations, administrator responsibilities, log review expectations, and incident escalation contacts. Technology alone does not secure systems; people and processes complete the picture.

Security architecture with access control and audit logging

Practical Advice: Know Your Data Classification

Before discussing security controls, list the types of data your system will hold and classify each by sensitivity. Public marketing content, internal operational metrics, and personally identifiable information do not warrant identical treatment. That classification drives encryption decisions, backup access restrictions, and whether multi-factor authentication is mandatory for certain roles. Clarity here prevents both under-protection and wasted effort.

When to Prioritise a Security Review

Prioritise formal review when launching externally accessible portals, when integrating with payment or identity systems, when handling health or financial data, or when a client contract specifies security attestations. Reviews also make sense before major releases that expand data scope or add new user populations with different trust levels.

Small Pea Software integrates security work into our standard delivery rather than treating it as a separate product. For existing applications, we can assess current posture, identify gaps against your stated requirements, and implement remediation in prioritised phases — addressing critical exposure first while planning structural improvements.

Compliance documentation and secure data handling practices
Controls and documentation aligned with your operational and regulatory context.

Periodic access reviews keep permissions aligned with current roles — especially after reorganisations, contractor engagements, or departures. We build administration screens that show who holds elevated access, when accounts were last used, and which permissions exceed a role template. Your HR or IT team receives exportable lists to reconcile against authoritative staff records, closing the gap between what the org chart says and what the application allows.

Audit log retention is agreed against your compliance and investigative needs, not arbitrary defaults. Logs capture authentication events, permission changes, sensitive record access, and administrative actions with timestamps and actor identity. Retention periods, immutability expectations, and export format for external review are documented so legal or regulatory requests can be met without scrambling to recover deleted history.

When security incidents occur, coordination with your IT team matters as much as the technical response. Small Pea Software defines contact paths, severity tiers, and information-sharing expectations before go-live — who receives initial notification, what log extracts are available, and how containment decisions balance service continuity against evidence preservation. That preparation reduces confusion during the hours when clarity is most valuable.

Discuss Security and Compliance for Your Project

Share the data your system will handle, relevant regulatory or contractual constraints, and any previous assessments or incidents that inform your concerns. We will explain how we address security throughout development and what additional verification may be appropriate for your situation. Email support@smallpeasoftware.com or contact us from our Chatswood office to begin.

Access Reviews, Logging, and Incident Coordination

Security controls only remain effective when they are maintained. Small Pea Software embeds operational practices into the systems we deliver — data classification labels that drive access rules, scheduled review reminders for administrators, and logging comprehensive enough to support investigations without capturing unnecessary personal detail.

Classification, Retention, and Client IT Alignment

Data classification tiers — public, internal, confidential, restricted — map to encryption requirements, backup access, export restrictions, and minimum authentication strength. Audit logs inherit retention rules from the sensitivity of events they record; authentication and permission changes typically outlive routine activity entries. We align technical implementation with your IT policies and incident response plan so our software fits your broader security posture rather than inventing a parallel scheme.

  • Quarterly access review — export of privileged users and dormant accounts for HR or IT sign-off.
  • Audit log scope — defined events, retention period, and tamper-evident storage approach.
  • Classification matrix — data types mapped to handling, storage, and transmission controls.
  • Incident contacts — named client IT and vendor escalation paths with severity definitions.
  • Post-incident review — structured capture of timeline, root cause, and remediation actions.
Audit logs you cannot retain long enough to investigate, or classify too vaguely to protect, create compliance theatre instead of defensible security.

Practical Tip: Rehearse Before an Incident

Walk through a simulated credential compromise or data exposure scenario with your IT team before production launch. Confirm who disables accounts, how logs are preserved, and what communication goes to affected parties. A thirty-minute tabletop exercise surfaces gaps that policy documents alone will not reveal.