The pitch sounded perfect - a custom software platform built for just a few thousand dollars. It would handle customer enquiries, process data, and run core business functions. Offshore developers promised quick delivery and rock-bottom pricing.
But six months later, everything goes to hell in a handbasket - the system is breached, customer data is compromised. The company is now facing a complete rebuild, regulatory investigations, and customers are questioning whether they can be trusted.
The ‘cheap’ route just became the most expensive decision the business ever made.
"We see this constantly," says Daniel Foster, CEO of Joondalup-based Redi Software. "Companies come to us after trying the perceived cheaper option. Often the platforms are in such a poor state that we have to start from scratch."
This sort of incident isn’t isolated either - in 2024, software vulnerabilities surged 61%, with a 96% spike in exploited vulnerabilities. And according to Verizon's 2024 Data Breach Investigations Report, exploitation of vulnerabilities as the critical path to initiate a breach almost tripled.
The remediation reality
After 15 years building custom software solutions and earning recognition as Joondalup Business of the Year in 2025, Daniel's team of 25 developers has become one of Western Australia's largest software development companies. They've also become specialists in something that should never be necessary: fixing software that was built wrong the first time.
"We find that basic security measures like properly secure passwords aren't even considered, sometimes" Daniel explains.
Unfortunately, it’s sometimes worse than just simple negligence. Daniel has encountered platforms built abroad where developers intentionally embedded malicious code during the build, then activated it once the system launched, with businesses then being held at ransom.
Often, the cost of remediation ends up dwarfing whatever was ‘saved’ on the initial build. Lost revenue. Damaged reputation. Regulatory penalties. Emergency security responses.
This is where a secure by design approach can make all the difference.
What ‘secure by design’ actually means
With 108 new vulnerability alerts coming in every day on average in 2024, and exploitation of vulnerabilities nearly tripling as an attack vector, building in security from the start isn't optional anymore - it's survival.
"For everything we build, security is number one," Daniel says. "Some companies are outsourcing development overseas to Pakistan or India, with no oversight on the technical veracity of what’s being built. We know every line of code, who built it, where it is."
This expertise comes from experience in the sectors where security failures have immediate, devastating consequences. Redi has spent 15 years building banking and financial solutions, healthcare platforms, and fintech applications.
The company's client list reflects this range: from startups in their early stages through to billion-dollar operations like Spudshed, Kitchen Craftsmen, and Curtin University. The variety is huge, but the security standard remains constant.
"We've got patterns we follow," Daniel explains. "All staff have it drilled into them so every project takes a best practice approach. We can build secure software much more cheaply than systems built elsewhere because we have established processes. Build speed is pretty quick while performance is tried and tested."
Companies come to Redi because they need to tick every box. But increasingly, they're coming because they need to fix what happens when those boxes were never ticked at all.
The AI illusion: everyone's a developer now
If the challenge of secure software development was significant before, artificial intelligence has made it exponentially more complex.
"AI is a wonderful thing," Daniel says. "But it's made a lot of people believe they're software developers. Everyone thinks it's easy to be an expert if they use AI."
The proliferation of AI-powered development tools has democratised software creation. You can now build simple apps that automate processes and improve business operations without writing a single line of code yourself.
This accessibility introduces massive risk, depending on what you're using it for and how far you take it.
Real scenarios Daniel has encountered: CEOs acting as software developers building core pieces of their business that deal with customer data and enquiries. Then they leave the company, and suddenly access, control and security become major problems.
"You can ask ChatGPT about your headache," Daniel says, "but you won't ask it to perform surgery. In the same way, you can get an AI tool to build a small repetitive task, but you can't ask it to build business-critical systems and store personal data without proper checks and balances."
The questions you must ask
Before choosing an AI development tool or engaging a software development partner, business leaders need to ask hard questions.
Where does your data live? Is it suddenly residing in Moscow? In a jurisdiction with weak privacy laws or hostile to Australian interests?
Who (or what) has access to this data? Is the AI model being trained on your business information or customer records?
What happens if this system gets turned off tomorrow? Do you have contingency plans, or does your business grind to a halt?
What happens if this system gets hacked tomorrow? Would leaked data matter? Would a ransomware attack cripple operations?
Do you know every line of code and who wrote it? Can you verify there's no malicious code hiding in your system?
In Daniel’s opinion, for critical business tools or systems handling personal data, extreme caution is required. "It's not saying 'don't use these tools,'" Daniel clarifies. "It's just ‘make sure you use them the right way’."
Why Australian matters for critical systems
Daniel is deliberately, as he puts it, ‘militant’ about keeping Redi Software's development 100% based in Joondalup, Western Australia, for both accountability and data sovereignty reasons.
For healthcare, financial services, fintech, mining, and manufacturing clients, knowing that data never leaves Australian soil matters. It means compliance with Australian privacy laws. It means jurisdiction when things go wrong.
"Data never leaves Australian soil," Daniel emphasises. "It lives in Australian data centres."
The company also takes on placement students and interns from local universities, building the next generation of secure software developers while maintaining rigorous standards.
For startups through to enterprises, this combination of local accountability and proven security practices provides what offshore alternatives can't: genuine peace of mind.
Building right beats fixing later
The false dichotomy in software development is speed versus security. The real trade-off though is upfront cost versus long-term risk.
"Think really hard about what you're building," Daniel advises. "Think of the long-term costs."
Whether you're a startup building your first product or an established enterprise adding new capabilities, the principles are the same. Security isn't a feature you bolt on. It's a foundation you build from.
Your software should be built right the first time. Because in cyber security, there are no do-overs without consequences.
—
Cecily Rawlinson is the Director of CyberWest Hub, Western Australia’s central force for advancing cyber security. The Hub is committed to strengthening the state’s cyber industry, developing a future-ready workforce, and raising cyber awareness across all sectors of the economy. For more information, you can get in touch with Cecily at director@cyberwesthub.au.
Daniel Foster is one of many experts that exist in Perth to support companies with their cyber security and data privacy challenges. CyberWest Hub is connected to a range of local experts - find out more at https://www.cyberwesthub.au
