Startup Security: Minimum Viable Product Shouldn’t Mean Minimum Security
Security usually doesn’t make it to the top of the list in terms of priorities for startups. Between focusing on developing and launching products, acquiring customers and raising funding, security can easily slip by the wayside as something that “we can fix later”.
However, in our new age of information insecurity this can be a fatal mistake.
Size Doesn’t Matter
Contrary to the common excuse of “we are too small for hackers to care about” startups are actually seen as easy targets by cybercriminals. Immediately after you have registered your domain, setup hosting and email, you are on the grid and at risk.
Almost instantly your website will be scanned continuously by bots looking for vulnerabilities, followed not long after by phishing emails and other attempts to compromise your systems.
Roughly 30,000 websites are compromised every day, many of which are delivering malware to site visitors without the site owners even knowing, even leading to their sites being blacklisted by Google and browsers making your website inaccessible, a process that can take months to clear.
Security and ROI
Even if you are not worried about security, you are missing an important point, your customers are.
Due to the number of high profile data breaches, compromised servers, corporate and foreign espionage in the media and even increased concern regarding domestic surveillance, security and privacy risks have become a key concern to individuals and organizations alike.
The fact that Apple’s key new feature for the new iPhone is a fingerprint scanner to increase security is no gamble on Apple’s part.
No stranger to security incidents, Apple has done their research and know security is a prime concern for their customers, not only a concern, but a core requirement in the buying process.
Trojan as a Service
If your startup is targeting B2B, or government, not focusing on security at the beginning is suicide. As larger organizations increasingly tighten up their security to reduce risk, a key attack vector for hackers is to go after partners of these larger entities as an easier gateway into their systems and data.
When the New York Times was recently compromised, it was not their servers or systems that were compromised directly, but their domain registrar Melbourne IT, through a partner portal where an account was compromised.
It is no longer odd for a larger company to request a security audit of a smaller company they are doing business with, either their infrastructure, code or both. If your business is not prepared, you can lose out on deals simply because you failed to take simple steps early on.
If your startup does have a security event, the loss or reputation and trust may not be something it can recover from as both customers and investors will drop you.
Implementing security controls early on does not require a great deal of additional effort. Just like a bricks and mortar business puts locks on their doors and installs an alarm system, there are some simple things that can be done at the start to reduce the risk of a security incident. Here are a few things startups can do and consider early on:
Passwords & User Accounts
If your startup is providing a web based service, ensure that you encrypt user passwords using a one way properly salted hash this can go a long way in protecting your users in cases where your systems and database are breached.
There are a number of standard algorithms that can be called (bcrypt, PBKDF2, etc) for most programming languages, research best practices when it comes to utilizing these established standards, DO NOT TRY TO CREATE YOUR OWN.
The server, operating system and applications that run your services are critical to securing. Hardening your server is the difference between driving a tank versus a Vespa scooter through a war zone.
This is an area it is usually best to hire an experienced systems administrator, or utilize a managed hosting provider to take care of for you.
Although your developers may be “techies” that does not mean they know how to secure a server properly, just as you would not hire a plumber to do the electrical work in your home even though both are “handy”.
Server hardening is also not a one time thing, but is a continuous process of monitoring, patching and upgrading over time as new vulnerabilities are discovered.
Going through a managed hosting partner is usually your best bet as they already have systems in place to automate this process as well as additional security layers including firewalls, IDS (Intrusion Detection Systems) and other more robust security solutions in place such as Tripwire which you can benefit from.
OWASP Top 10
It is a good idea to get your developers up to speed on web application security best practices. Implementing proper security controls in code early on can save a lot of money down the road.
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
Although it may seem like information security is complicated, it can actually be quite simple by simply knowing what to watch out for.
Training staff on the pitfalls of phishing, visiting the wrong websites and being generally alert regarding security can go a long way in security your systems, company and customers.
There are an amazing amount of resources available nowadays to developers, executives and even consumers on how they can better protect themselves and their business.
Have any other suggestions regarding things startups should be watching out for when it comes to security?
Let me know in the comments I would love to hear more ideas. It is pretty amazing how little startup security has been discussed, I wonder how many startups have been compromised but either never know it or fail to disclose it simply because of the risks.
What are some more simple things that startups can do to keep their data, customers and systems safe?
- Wireless Pen Testing and Assessments
- Your Enterprise Vulnerability Management Reality Check
- Vulnerabilities in Application Whitelisting
- The OWASP Top Ten and Vulnerability Management
P.S. Have you met John Powers, supernatural CISO?