The deadly sins of startup security

For startups, user growth, product growth, virality, marketing usually goes on the top of their priority list. As part of product planning cycles, embedding information security into their product/service is the last concern for most startups.

Which is deeply ignored here? Information and data security.

Often you see devops engineers, systems engineers, infrastructure engineers or system administrators wear the security hat in these startups and performs some of the small security fixes or patches. Even though they can perform research on the procedures to apply patches, harden databases, or implement remediation as a result of the industry breaches, they might not take every decision or option from security perspective.

Consider the Code Spaces startup breach that basically caused them to go out of business due to improper hardening of the root passwords and not following the AWS security best practices. This deeply ignored lack of security awareness has actually caused millions, and in the case of some companies has even lead to shutdown  because of the loss of data and reputation.

Robert Hansen, the director of product management at WhiteHat Security, said persuading start-ups to invest in security could often feel like "talking to a brick wall."

I'm going to share some of my startup security experiences about 7 deadly sins that startup security professionals often fail to recognize. Applying information security practices in startups and medium and large sized organizations needs shifting your mindset in deciding the right controls for your organization.

1. Lack of understanding of your business threats

Cyber security is not just an issue for governments and FTSE 100 companies, cyber attacks can affect every business, however large or small.

According to last year's Information Breaches Survey conducted by PwC for the Department of Business Innovation & Skills:

87% of SMEs had a security breach in the last year; and only 9% of small organizations know that outsiders have stolen confidential data.

It is very important that you understand your business threats before you can protect your data. Perform risk assessment and prioritize your data, assign threat levels, assign risk score and evaluate the appropriate controls that you want to protect against. Pragmatic risk management isn't about trying to anticipate and mitigate every source of risk. For example, the risks for bitcoin startup will be different than the risks for a startup that specializes on IoT.

2. Misalignment with your IT strategy

Security engineers need to be fully involved while setting up the IT Strategy. Unless you clearly know whether your servers will be hosted in the third party public cloud by a third party firm (SSAE16/ISO27001 certified) or if it's better to bring your infrastructure in-house in the near-term (2 years), you cannot clearly frame your security strategy around this.

What happens if you introduce network stack and invest millions of dollars at this third party vendor to monitor the ingress/egress flow of traffic and then after several months, your IT decides to bring their critical servers in-house? You will have to again scale, re-scope this exercise and perform thorough gap analysis to fix this.

As a startup security engineer, you will wear multiple hats and it's your responsibility to be part of the architectural review board, voice your opinions and ideas with IT, vendor management, HR and any other critical functions.

3. Lack of security governance on third party vendors

Do startups need to care about protecting their data first before evaluating the third party vendors who store their data? This is not always true.

Most of the startups run their servers and infrastructure hosted in a third party public cloud (such as AWS, Google Cloud, Rackspace etc). With the amount of cloud security breaches happening, it's important to select the right hosted solution for your organization who cares about customer's data. And there are these third party email ticketing solutions & other vendors who manages company's payroll, staffing solutions and the list goes on. Your role as security assessor is critical when startups establishes relationship with these third party vendors. Seek to establish cloud assessment criteria (BITS, CSA, ISO etc) and ensure that these cloud hosted vendors meet your standards.

4. Continuous deployment lacks security checks

Startups cannot afford to have extensive change management process and only deploy the code on a weekly or bi-weekly basis as big companies do. The ability to continuously deploy the code to production (multiple times daily) with minimal QA checks and peer review has become part of the code deployment process and there is no time to perform secure code review, threat modeling etc. As security engineers, it is important to develop secure coding framework but still be able to educate developers about secure coding practices without hindering the deploy process. It's not easy to integrate security into the code review process and have developers validate improper exception handling, XSS, XSRF, verbose errors etc but this is something that can be managed through education, training the developers and have proper stage gate review process.

5. Bad investment on unnecessary security tools

For some companies, availability might be more critical than security. Invest more time in selecting the appropriate DDoS solutions, CDN providers than investing in centralized SSO solutions, for example.

As a startup security engineer and lead, you set the tone for security across the organization and it's important that you invest in the right tools for the organization as you cannot afford bad investment.

6. Not empowering your employees.

In startups, things move really fast. That means the ability to quickly identify the vulnerabilities and fix them. Who do you think in your organization is better able to spot those weak spots before the bad hackers? Of course, it will be your employees. It's imperative to create the ecosystem where your smartest employees are motivated to identify security incidents and report them without worrying about the repercussions. Security awareness is even more important in startups than in large companies. In large companies, you will have the ability to use automated emails, phishing solution to educate the employees, have security programs as part of new hire orientations, etc. However, in startups, you have to look for creative ways to educate employees about breaches and incidents.

7. Managing bug bounty programs

With the limited amount of security budget and resources startups have, try to leverage these third party bug bounty programs such as Hackerone, Bugcrowd and many others. Once you know you have sufficiently hardened the infrastructure and fixed the known vulnerabilities, then you can open this upto one of these bounty programs. Fix the low-hanging fruits first.

Scoping the program is very important as you don't want to get an influx of multiple redundant vulnerabilities reported by researchers. Also remediate the low priority vulnerabilities that can be found through regular automated software checks before engaging with these programs.

Alternatively, you can choose to set up a public sandbox environment that people can test against that runs the same code as production.