Organizational Foundations and Security Practices in Software Development

Posted on Dec 11, 2025 in Business Administration and Innovation Management

1. Organisational Foundations: Mission, Goals, and Objectives

Mission Statements

  • A mission statement represents the collective goals of an organisation.
  • It is a statement explaining why the organisation exists and helps guide its strategic decisions.
  • Examples include:
    • Tesla: “Tesla’s mission is to accelerate the world’s transition to sustainable energy.”
    • TED: “Spread ideas.”
    • Ikea: “To create a better everyday life for the many people.”
    • Patagonia: “Build the best product, cause no unnecessary harm, use business to inspire and implement solutions to the environmental crisis.”

Goals and Objectives

  • Goals describe a potential future state that an organisation strives to achieve. They provide guidance and direction, assist in future planning, inspire people within the organisation, and support evaluation.
  • Objectives are measurable targets that support the goals. They are quantifiable statements that expand on goals in a way that allows them to be assessed.

Typical Goals for Organisations:

  • Making a profit (commercial organisations).
  • Achieving a specific percentage of market share.
  • Providing service for a cause (non-profit organisations).
  • Delivering quality products.
  • Offering excellent customer service.
  • Building an excellent reputation.
  • Ensuring the price and reliability of products.
  • Caring for and developing staff.

Typical Objectives for Organisations (Note: they are measurable):

  • Increase sales in the next financial year by 10%.
  • Reduce the number of customer complaints by 50%.
  • Ensure 95% of online orders are packaged and delivered within 5 working days.
  • Maintain an employee retention rate of 95%.
  • Engage 3 new clients per quarter.

2. Software Development Approaches: In-House vs. External

In-House Development

  • Definition: Building and maintaining software using an organisation’s own team of developers.
  • Advantages:
    • Full control over the project’s priorities, timelines, and quality standards.
    • Strong alignment with the organisation’s culture, goals, and internal processes.
    • In-house teams develop deep institutional knowledge, enabling faster troubleshooting.
  • Disadvantages:
    • Significant costs, including salaries, benefits, equipment, and training.
    • Teams may lack exposure to the latest industry practices.
    • The organisation is limited to the skills and experience available internally.

External Development (Outsourcing)

  • Definition: Outsourcing software creation to a third-party vendor or contractor.
  • Advantages:
    • Access to a wider pool of specialised expertise.
    • Often available at a lower overall cost compared to a full-time in-house team.
    • Vendors may provide a faster turnaround time due to experience and dedicated resources.
  • Disadvantages:
    • Risks related to intellectual property security, quality control, and communication.
    • Challenges in ensuring the external team fully understands business needs, especially with time zone or cultural differences.
    • Can lead to long-term dependency on the vendor, making future changes more complex or costly.

3. Cybersecurity: Threats, Vulnerabilities, and Risks

Types of Vulnerabilities and Risks

  • Use of APIs: The 2022 Optus data breach occurred through an unprotected, publicly exposed API that did not require user authentication.
  • Malware: Malicious software such as viruses, worms, and trojans.
  • Unpatched Software: Exploits in software that have not been updated with the latest security patches. For example, a vulnerability in Microsoft Office SharePoint Server could allow an attacker to execute code remotely.
  • Poor Identity and Access Management (IAM): The 2020 Twitter hack involved social engineering and poor IAM practices.
  • Man-in-the-Middle (MITM) Attacks: A hacker intercepts communications between two parties to steal sensitive information.
  • Insider Threats: Individuals with network access who intentionally or unintentionally cause data breaches. The Medibank data breach was initiated when an employee of a third-party provider saved admin credentials to their personal browser profile.
  • Cybersecurity Incidents:
    • Social Engineering: Malicious actors manipulate individuals into performing actions like opening attachments or revealing credentials.
    • Denial-of-Service (DoS/DDoS) Attacks: Overwhelm a system to make it unavailable to legitimate users.
    • Bots and Web Scraping: Automated programs can overwhelm academic websites while gathering training data for AI tools.
  • Risks from Third-Party Software: There is often a time lag between when a vulnerability is discovered and when a patch is installed by the user, creating a window of vulnerability.
  • Ineffective Code Review Practices: Can lead to issues like unchecked copied code, use of deprecated libraries, unrestricted repository access, hardcoded secrets (passwords, keys), and exposed information in error messages.
  • Combined Development, Testing, and Production Environments: This can lead to accidental exposure of sensitive data, such as an Uber employee uploading login credentials to a public GitHub page.

Threat Modelling

  • Definition: Threat modelling is a procedure where an enterprise evaluates its architecture, systems, and assets with the mindset of a hacker. It involves analyzing representations of a system to highlight security and privacy concerns.
  • Core Principles: All threat modelling methodologies answer four key questions:
    • What are we working on? (Define security requirements).
    • What can go wrong? (Identify threats).
    • What are we going to do about it? (Mitigate threats).
    • Did we do a good enough job? (Confirm threats have been mitigated).
  • Goal: The goal is not to list every possible vulnerability but to find threats that are likely, impactful, and fixable. Focusing on low-risk cases can lead to critical issues being missed.
  • Methodologies:
    • STRIDE: A Microsoft model that categorises threats into Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges.
    • PASTA (Process for Attack Simulation and Threat Analysis): A seven-stage, risk-centric methodology.
    • OWASP: The OWASP threat modeling process includes scoping your work, determining threats, determining countermeasures, and assessing your work.
    • MITRE ATT&CK: A framework that can be used to sort threats by likelihood and impact.

4. Security Controls and Mitigation Strategies

Mitigation Measures Mitigation involves actions or strategies to reduce or eliminate problems like hacking, phishing, malware, and insider threats. Consequences of not mitigating threats can include data loss, financial harm, and reputational damage. Key mitigation areas include:

  • Hardware: Physical devices with built-in security features like firewalls, secure servers, and routers to prevent unauthorised access. Firewalls can block suspicious traffic, and routers can prevent DoS attacks.
  • Software: Security programs like antivirus, anti-malware, and intrusion detection systems (IDS) to detect and prevent threats.
  • Physical Equipment: Devices and systems to control physical access, such as locked server rooms, security cameras, and biometric scanners.
  • Procedures: Policies and protocols to ensure security best practices, including employee training, strong password policies, and access protocols based on the “least privilege” principle.
  • Electronic Measures: Techniques like encryption and multi-factor authentication (MFA) to protect data and ensure secure access.

Specific Security Controls

  • Version Control and Code Repositories: Version control records each stage of development, allowing a “roll back” to previous versions. Code repositories are storage systems for source code.
  • Robust Identity and Access Management (IAM): This process ensures that individuals can only access the data and systems required for their designated duties. It prevents staff from having excessive privileges and reduces risk exposure.
  • Encryption: The process of encoding data from plain text format to protect it from being compromised.
    • Symmetric encryption uses a single key for both encryption and decryption.
    • Asymmetric encryption uses a public key for encryption and a private key for decryption.
  • Code Review: The systematic examination of computer source code to identify issues.
  • Regular Updates and Patches: Applying updates is critical to ensuring the security of systems and applications.
  • Separated Development, Testing, and Production Environments: Failure to properly segregate these environments can result in the loss of availability, confidentiality, and integrity of information assets.

Threat Response Strategies

  • Mitigate: Reduce the likelihood of a threat occurring.
  • Eliminate: Remove a risky feature entirely.
  • Transfer: Outsource the risk, for example, by using cloud services.
  • Prepare: Have a detailed incident response plan ready.

5. Improving and Evaluating Security Practices

Strategies for Improving Security

  • Onboarding/Induction: Help new employees integrate into the company culture and understand security protocols, expectations, and secure coding practices.
  • Developer Training: Keep developers updated on the latest vulnerabilities and risks. Encourage continued education through courses and certifications.
  • Risk Management Plan: A document that outlines the plan to identify, assess, and mitigate risks to ensure business continuity and security.
  • Systematic Risk Assessment:
    • Identify and evaluate risks to determine their potential impact and likelihood.
    • Develop and implement mitigation strategies.
    • Prepare detailed incident response plans to minimise damage and recover quickly.
    • Regularly monitor and review risk management plans to ensure they remain relevant.

Criteria for Evaluating Security It is important to have evaluation criteria to:

  • Ensure consistency and standardisation.
  • Mitigate risks by focusing teams on potential threats.
  • Provide benchmarks for performance.
  • Support continual improvement to address new threats.

Sample Evaluation Criteria:

  • Version control: Are there access logs? Is code stored in an encrypted file?
  • IAM: Is MFA implemented? Are permissions based on roles? Are user activities logged?
  • Encryption: Is sensitive data encrypted at rest and in transit? Are secure key management practices used?
  • Code review: Does all code undergo peer review? Are audits performed to identify vulnerabilities?
  • Updates and patches: Is there a policy for regular patching? Are vulnerability scans performed?
  • Separated environments: Are development, testing, and production environments logically separated? Is access to production environments restricted?

6. Industry Frameworks and Legislation

The Essential Eight

  • Developed by the Australian Cyber Security Centre (ACSC), the Essential Eight is a set of baseline cybersecurity strategies to protect systems from threats. The eight strategies are:
    • Application Control: Prevent malicious programs by only allowing approved applications to run.
    • Patch Applications: Apply security patches to fix known vulnerabilities in applications.
    • Configure MS Office Macros: Block macros from the internet and only allow vetted macros to run.
    • User Application Hardening: Configure applications like web browsers to reduce their attack surface.
    • Restrict Admin Privileges: Limit administrator accounts only to those who absolutely need them.
    • Patch Operating Systems: Apply security patches to operating systems to address known vulnerabilities.
    • Multi-factor Authentication (MFA): Require two or more authentication factors for system access.
    • Regular Backups: Perform regular backups of important data and store them securely offline.

Information Security Manual (ISM)

  • The ISM is published by the ACSC and provides comprehensive guidelines to help Australian government agencies protect their information systems. Key guidelines for software development include:
    • Development, testing, and production environments: These environments and their data should be segregated to minimise the risk of faulty or malicious code reaching production. Protecting the authoritative source for software is critical.
    • Secure software design and development: Software should be developed using ‘Secure by Design’ principles, threat modelling, and memory-safe programming languages (e.g., C#, Go, Java, Rust). Software should also be ‘Secure by Default’, meaning it is secure “out of the box” with security features included at no extra cost.
    • Application security testing: Testing should be repeatable and scalable to identify vulnerabilities early. It should include SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and SCA (Software Composition Analysis) for comprehensive coverage. Software needs to be comprehensively tested during development, before all releases, and periodically thereafter.

Australian Legislation

  • Privacy Act 1988: This law, which includes the Privacy Amendment (Enhancing Privacy Protection) Act 2012 and the Privacy and Data Protection Act 2014, governs how organisations collect, use, and distribute personal data. It applies to government organisations and private sector organisations with a turnover above $3 million, those that store medical information, or those that sell personal information. The Act unified previous principles into 13 Australian Privacy Principles (APPs).
    • APP 1: Open and transparent management of personal information.
    • APP 2: Allowing individuals to use anonymity or a pseudonym.
    • APP 3: Rules for the collection of solicited personal information.
    • APP 4: How to handle unsolicited personal information.
    • APP 5: Notifying individuals about the collection of their personal information.
    • APP 6: Limiting the use and disclosure of personal information to its original purpose.
    • APP 7: Rules for using personal information for direct marketing.
    • APP 8: Ensuring overseas recipients of data do not breach the APPs.
    • APP 9: Prohibiting the use of government-related identifiers (e.g., Medicare numbers).
    • APP 10: Ensuring the quality of personal information is accurate and up-to-date.
    • APP 11: Taking reasonable steps to secure personal information.
    • APP 12: Giving individuals access to their personal information.
    • APP 13: Taking reasonable steps to correct personal information.
  • Health Records Act 2001 (Victoria): This Act provides specific protection for medical information in Victoria, regardless of the size or type of the organisation collecting it. It establishes 11 Health Privacy Principles (HPPs).
  • Copyright Act 1968: In Australia, copyright protection is free and automatic for the creator of a work. It is illegal to copy, share, or change the format of a work without the owner’s permission. The 2006 amendment introduced “fair dealing” exceptions for parody, research, and review, and extended copyright to 70 years after the creator’s death. It also permitted format-shifting of music for personal use (e.g., ripping a CD to an iPod) and recording TV/radio for personal use.
  • Other relevant laws listed in the VCE Computing Study Design include the

Spam Act 2003 and the Charter of Human Rights and Responsibilities Act 2012.

7. Ethical Issues in Software Development

  • Ineffective Security Practices: There is an ethical obligation to protect user privacy and data security. Poor encryption, a lack of regular software updates, and weak authentication methods are ethical failings.
  • Use of Artificial Intelligence (AI):
    • AI algorithms may inherit biases from training data, leading to issues like gender bias or reinforcing stereotypes.
    • There are ethical questions around accountability for AI decisions, as they are not always correct or transparent.
    • The potential for job displacement due to automation is also a concern.
  • Intellectual Property (IP):
    • Respect for the work of original creators is essential.
    • Plagiarism and the theft of code are significant ethical concerns.
    • Companies must ensure they have proper licensing for all software tools they use.
  • Copyright Issues:
    • Software code, images, and content are protected by copyright.
    • Using copyrighted material without permission is both unethical and illegal.
    • Developers must understand the differences between open-source and proprietary software and properly acknowledge and credit their sources.

1. Analyse the current physical security controls and employee authentication approach implemented by RADSoftware. Discuss the associated risks and their impacts. (12 marks)

RADSoftware currently relies on basic physical security, such as swipe-card access to the office floor, but there are no restrictions within the floor itself. Their servers and network switch are stored openly on shelves next to the administrator’s desk, which poses a high risk of theft or tampering. The company also shares Wi-Fi with other businesses in the building, which significantly increases the risk of man-in-the-middle attacks and unauthorised access to sensitive traffic. While automatic screen locking is enabled, the inactivity period has been extended to ten minutes, meaning staff computers are often left vulnerable to walk-up access. These controls demonstrate weak identity and access management (IAM), and the annual patching schedule further increases the chance of unpatched vulnerabilities being exploited. The impact of these risks could include exposure of sensitive customer data, fraudulent transactions, complete service outages, and reputational damage, making the organisation non-compliant with the Privacy Act’s requirements to take reasonable steps to secure data.


2. Identify two missing secure development practices that should be in place to reduce the risk of the reported customer data issue occurring. Explain how these practices would achieve this reduction. (8 marks)

The first missing secure development practice is deliberate multi-tenant data isolation. RADSoftware attempted to separate customer data with a simple company code in the database, but this is inadequate. Proper practices such as using row-level security, separate schemas, or individual databases for each client would ensure customers’ data cannot be mixed or accessed by the wrong company. The second missing practice is formal change management with recorded testing. At present, the company carries out testing but does not keep documentation or evidence, and they have no ability to roll back to previous versions. Introducing version control, peer code review, automated test cases, and release tagging would prevent untested or faulty changes from being released into production and would allow recovery if errors occur. Together, these practices would reduce the risk of cross-tenant data leakage and ensure system integrity.


3. Identify the potential risks associated with using a third-party payment gateway. Propose an approach to evaluating and mitigating those risks. (8 marks)

Using a third-party payment gateway introduces several risks. These include the potential compromise of API credentials, replay attacks if payment requests are not uniquely identified, forged webhook notifications, dependency on the vendor’s availability, and uncertainty about where and how sensitive data is processed. To evaluate these risks, RADSoftware should conduct due diligence by reviewing the gateway’s PCI DSS compliance, uptime SLAs, penetration test results, and data handling practices. To mitigate the risks, RADSoftware should store API keys securely using a secrets vault, implement HTTPS and HSTS for all traffic, use idempotency keys to prevent duplicate charges, and verify webhook signatures. Additionally, monitoring and reconciling transactions against settlements would quickly identify fraudulent activity. This approach ensures both secure integration with the gateway and compliance with industry requirements.


4. Identify the type of attack that is likely being used to create the illegitimate payments through the payment gateway. Explain how this could work in this situation. (6 marks)

The likely attack is the theft and misuse of API credentials, which allows attackers to impersonate RADSoftware’s system and issue fraudulent payment requests. Because the server communicates with the payment gateway over insecure shared Wi-Fi and lacks strong secrets management, attackers could intercept or steal the credentials. Once in possession of these details, they can send payment requests that the gateway treats as legitimate because they originate with valid credentials. Without safeguards like idempotency or signed requests, attackers can also replay previous transactions to generate extra charges. This explains why PaymentsRUs confirmed the fraudulent transactions as “legitimate” requests.


5. Analyse the connectivity between the web clients and the server in the RADSoftware office. Discuss two web application risks this may enable and how they could be used to breach data security. (12 marks)

Currently, the mobile app and web clients communicate with RADSoftware’s server over plain HTTP. This creates the first major risk of cryptographic failure, since unencrypted traffic can be intercepted and altered by attackers through man-in-the-middle techniques. This allows them to steal user credentials, manipulate payment amounts, or inject malicious code. The second risk is broken access control, as the system relies on an insecure company code to separate customer data. Attackers could exploit insecure direct object references (IDORs) to access other companies’ customer data. These weaknesses could lead to the theft of personally identifiable information, unauthorised charges, and breaches of the Australian Privacy Principles. To address these issues, HTTPS should be enforced, and proper access control must be implemented at the server and database level.


6. Part A: Propose a set of criteria to evaluate the effectiveness of the current development security practices in place at RADSoftware. (7 marks)

The criteria should include:

  • Governance and policy – whether there are documented security processes.
  • Secure design – whether threat modelling and multi-tenant isolation are considered.
  • Patch and dependency management – frequency and effectiveness of updates.
  • Access and secrets management – use of MFA, least privilege, and secure key storage.
  • Testing and verification – presence of automated, documented, and repeatable testing.
  • Release and change control – use of version control, rollbacks, and peer code review.
  • Logging, monitoring, and incident response – whether issues are detected and acted on quickly.


6. Part B: Apply these criteria to the current practice and describe the results. (7 marks)

Applying these criteria shows that RADSoftware’s practices are very weak. Governance and policy are almost non-existent, as Tate prefers culture over documentation. Secure design is poor, as the database design allows cross-tenant leakage. Patch management is inadequate, with only annual updates applied. Access and secrets management is weak, since there is no evidence of MFA or secure storage of payment credentials. Testing is inconsistent and undocumented, leading to production issues. Release and change control is ineffective, with no proper version control or rollback options. Finally, monitoring and incident response are absent, as fraud was only detected after customer complaints. Overall, the evaluation reveals systemic weaknesses across all areas, with no significant strengths.


7. Identify the legislation that applies to RADSoftware, articulating why this is the case. Assess Tate’s claim that the Privacy Act does not apply. (6 marks)

The Privacy Act 1988 and the Australian Privacy Principles (APPs) apply to RADSoftware. Although small businesses under $3 million turnover are normally exempt, this does not apply when personal information is traded for a benefit. RADSoftware sells names, addresses, and emails to a marketing company, so they are considered an APP entity regardless of turnover. The Spam Act 2003 also applies because customer data is used for direct marketing, which requires prior consent. Furthermore, handling credit card data brings contractual PCI DSS obligations. Tate’s claim that the Privacy Act does not apply is incorrect, as his company clearly meets the conditions for coverage.


8. Identify the flaws in RADSoftware’s security practices that could potentially breach legislation and describe how they breach it. (12 marks)

Several flaws could breach the Privacy Act and Spam Act. Firstly, RADSoftware shares customer data with a marketing company without explicit consent, breaching APP 6 and APP 7, as well as the Spam Act’s requirement for consent before sending commercial emails. Secondly, their weak security measures, such as using HTTP, shared Wi-Fi, poor patching, and long screen-lock delays, breach APP 11’s requirement to take reasonable steps to secure personal information. Thirdly, the mixing of customer data across tenants breaches APP 10, which requires information to be accurate and relevant. Finally, the lack of transparency in privacy practices likely breaches APP 1 and APP 5, as customers are not informed of the data sale. These flaws could lead to enforcement action, penalties, and reputational damage.


9. Part A: Identify three risks that address both the identified security and legislative issues. (6 marks)

The three key risks are:

  • Unauthorised use or disclosure of personal information without consent (APP 6/7; Spam Act).
  • Compromise of payment card data due to poor encryption and key management (APP 11; PCI DSS).
  • Cross-tenant data leakage caused by insecure database design (APP 10/11).


9. Part B: Explain how to mitigate the identified risks. Discuss how your strategies ensure compliance with legislative requirements. Highlight the potential consequences of not following the plan. (6 marks)

To mitigate the first risk, RADSoftware must cease selling personal data until they obtain explicit, informed consent from customers and provide clear privacy policies and collection notices. This ensures compliance with APPs and the Spam Act. For the second risk, all traffic must be encrypted with HTTPS, API keys securely stored, and payment handling outsourced via tokenisation so that sensitive data never resides on RAD’s systems. This reduces PCI scope and ensures compliance with APP 11. For the third risk, RADSoftware should enforce database-level tenant isolation using row-level security or separate databases, alongside automated testing. This ensures compliance with APP 10 by maintaining data accuracy and security. If these steps are not followed, the company risks financial penalties, loss of customers, and reputational damage, as well as potential regulatory investigations.