8 min read · Written by Grant Rayner on 13 Dec 2023
Share by emailOver the last few weeks, I’ve focused on different types of products, including subscription products. While applications are another type of subscription product, they could be considered products in their own right. Your entire business could be based around an application. Alternatively, you could integrate an application into your existing products and services.
In this article, I’ll share some thoughts on developing applications as part of your portfolio of products and services as an independent security professional.
For context, I’ve been directly involved with the development of multiple applications over the years. Around fourteen years ago, I developed the first private social network for security professionals. Working in a partnership at the time, I hired a developer. Ten years ago, working in collaboration with an accomplished developer, we developed a private workspace for security associations. Four years ago, with the same developer, we developed a whistleblowing application. Right now, I’m working on a crisis management application by myself. I’m hoping to launch this application early in 2024.
There’s a lot to consider when it comes to building an application. I’ll cover the key points below, with the objective of highlighting some of the challenges you might face. The reality is that I’m only scraping the surface. Developing an application is a serious endeavour that can be costly in terms of your time and bank balance.
From a business perspective, the key benefit of an application is that it can provide a stable ongoing revenue stream. If you charged customers $500 a month to use your application, and you had 20 customers, you’d have a monthly revenue of $10,000 a month. If you’re able to get 50 customers, you’ll have a healthy monthly revenue of $25,000 a month. There’s obviously plenty of scope for you to implement different pricing models and of course you can grow your customer over time.
However, you’ll also need to consider the costs relating to initial development. In addition, you’ll have ongoing costs relating to maintaining the application and providing support to customers.
The first stage of developing an application is developing a concept. Who is your application for and what problem does it solve for that person or organisation?
Ideally, your application should align with your other products and services. If you’re an expert in the management of security guarding operations, your application might provide a solution to managing guarding operations more efficiently. If you were an expert in investigations, you might develop an application that enables organisations to schedule and manage investigations.
Your application should address a defined customer problem. The more customers that experience this problem, the better.
Your application should be difficult to replicate. If your application is too simple, it can be quickly copied and companies with more resources at their disposal can run rings around you.
It should also be difficult to switch from your application to another application. The longer a customer uses your application, the more difficult it should be for them to stop using it and use a competitor’s application instead. There are two complementary aspects to this requirement. First, and most importantly, your application should provide ongoing utility. Second, your application should provide more utility the more it’s used.
As an example, you could develop an application that enables a customer to log security incidents. The ability to log incidents alone isn’t enough to keep a customer using your application if a better one comes along. However, if you can add sophisticated analytics that can identify patterns and emerging risks, that may provide the value necessary for your customer to continue to use and pay for the application.
Of course, offering excellent customer service will always be a key factor in retaining customers. Regular updates and improvements will also help encourage customers to stay.
Once you have a clear idea of what you want to build, you’ll need to determine what it will cost to build and maintain the application. For now, you’ll need to consider how much you’re prepared to invest in building the application. If you’ll need to hire a developer, development costs could easily hit $100,000. That doesn’t include costs relating to ongoing development, maintenance and support. I’ll cover aspects of ongoing development, maintenance and support later. In addition, there will be hosting fees and other subscription costs.
If you develop the application yourself, consider the opportunity costs of doing so. If it takes you 100 working days to build the application, and your consulting rate is $1,500, you’ve invested $150,000 in development.
Another approach is to work on the application during periods when you don’t have project work. You might be able to carve out one day a week that you can dedicate to working on your application.
If you’re set on developing an application, you have two options:
If you don’t know how to code, you’ll struggle in a few very fundamental areas. At a high level, you won’t be able to make an accurate determination of what programming languages or frameworks you should be using for your application. Selecting the wrong languages and frameworks can set you up for significant problems down the road. At a more practical level, if you don’t know how to code you won’t be able to appreciate how long specific features will take to build. As a result, you could be easily mislead by a developer and overcharged for their time.
Even if you do know how to code, developing an application suitable for commercial use is a serious endeavour. You will need to be very confident that your skills are at the level required to ensure stability, performance, and data security.
Even if you are adamant that you’re not going to learn to code, you’ll still need to know enough about programming to be able to communicate effectively with your developer. If you’re unable to do this, you’ll struggle to bring your vision to reality.
At the least, learn HTML and CSS. By doing so, you’ll be able to work on the front end of the application (the parts people can see). There’s also value in learning the basics of git. That way you’ll be able to access the codebase on your local machine.
If you hire a developer, you’ll need to have a clear understanding of what you want to achieve. You’ll need to provide them mockups of views. Having an understanding of database design and entity relationship diagrams can also help.
If you don’t know what you want and just ask them to build an application that does XYZ, you’re not applying sufficient constraints on the project and you should expect your budget to be expended before you get even close to finishing the project.
In addition to learning the basics of coding, there’s also a significant benefit in understanding application design and user experience. How customers interact with your application will have a major impact on their willingness to continue to pay for your application over time.
Once you’ve developed your application, I recommend conducting a soft launch and providing access to no more than two or three customers. Ideally, you should have been engaging with these customers during the process of developing your application. You could offer these customers a discount for the first period of their subscription in the understanding that they will be accepting of any problems that occur immediately after launch, providing you the opportunity to fix them before your application has a broader audience.
You’ll also need to consider analytics, ensuring you can understand how your application is being used.
Once you’ve launched your application, you’ll need to actively promote it. The best approach is to use a combination of LinkedIn and email. Start with the clients you’re already working with, and expand from there.
Don’t think too far ahead. Instead, focus on signing up your first ten clients. Once you’ve done that, focus on signing up the next ten. As with the soft launch approach described above, a slow start will help you adjust your approach and minimise the risks of costly mistakes.
You can also include SEO in your approach. However, your focus at the beginning should be very manual and involve direct contact with potential customers. Don’t expect customers to find your application via a Google search. At least, not in the beginning.
Even basic applications will require ongoing maintenance. If you’re using an external vendor, you’ll need to budget money each month for them to maintain your application. If you’re managing your application yourself, you’ll need to budget one day a month (more or less) for maintenance.
When there’s a major update to the framework you’re using for your application, you’ll need to upgrade your application. This is not a trivial process and can have unknown consequences if done poorly.
If your application has a lot of dependencies, you’ll need to continually check to make sure you don’t break anything during updates. If you consider an application that uses Ruby as a programming language, Ruby on Rails as the web application framework, and then a range of different Ruby Gems, you’ll need to make sure your versions of Ruby, Ruby on Rails, and all of your gems are compatible.
Let’s move onto using generative AI, supporting your customers, improving your application, and assuring security.
With the introduction of generative AI tools, you’ll find you’ll be able to solve quite difficult problems with application development. Even still, be circumspect about the benefits of using AI to guide your approach and recognise the inherent risks of not knowing what you don’t know.
I’ve already found generative AI to be an effective replacement for Stack Overflow. Where I’ve found generative AI most useful is to teach me different approaches to a specific problem. Rather than just ask for a solution and copy and paste the block of code, present the problem to the AI and ask for different approaches to solving that problem. The AI can also explain the pros and cons of each approach. By taking this approach, you’ll build your knowledge and capabilities as you go.
Once you have paying customers, you’ll need to provide support. You might provide support by email or use an application such as Zendesk (or similar).
You’ll need to either manage support enquiries yourself, or hire someone to do it for you. An appropriate approach is to manage support yourself at the beginning, which will keep you close to your customers. Customer feedback received via support can often reveal issues with the design and functionality of your application. As the number of customers grows, you may need to hire someone to manage support requests for you.
Improving Your Application
Once you’ve launched your application, you will want to improve your application over time as you think of new features or as you receive feedback from customers.
You’ll need to develop a pipeline for the features you want to introduce, prioritising their development. A useful approach is to set a cadence for new feature releases. You might, for example, release new features on a fortnightly or monthly basis.
You’ll undoubtedly receive feature requests from your customers. Some of these requests may be good, others may be questionable. Don’t be too quick to commit to adding new features until you are confident they provide real benefits and align with your overall vision for your application.
From a business standpoint, you’ll either need to set aside time for this work or set aside money for someone to do it for you.
If you’re going to develop an application, you need to be clear regarding the security implications of storing customer data. If you’re developing an application relating to security, you’ll need to be particularly careful. Application security is not trivial. In the applications I’m working on, I have to consider authentication, authorisation and sessions. Then, there’s the need to filter and sanitise user input to protect against SQL injection or Cross-Site Scripting (XSS) attacks. And so on. It’s not easy, and there’s a steep learning curve.
As an example, I worked with a developer some years ago to develop a crisis management application. The best feature of the application was that it could automatically locate employees after a crisis and provide a dashboard of where they are and their situation. The problem with this feature is that it required access to the customer’s employee personal data (name, phone number, email address etc). No corporate customer was willing to allow us to store this information in our database. In addition, it would have been difficult to maintain. We developed workarounds, including allowing the customer to upload the data when needed and then purge it when no longer required. However, it wasn’t a very seamless solution and the key benefit of the application couldn’t be realised.
I’ve really only scratched the surface here. If you believe you have a good idea for an application, by all means go for it. However, don’t underestimate the very real challenges involved, particularly if you can’t code.