Startup Security 101 - Introduction
Earlier this week I gave a talk about security in the startup world. While working on the presentation and trying to figure out which content I want to cover I ran into a very simple problem: security is hard and the field is quite large.
I think this is not a well kept secret, but something most people working in information security know and are fully aware of. Nevertheless I had to figure something out and received some good feedback in the end. But instead of calling it a day and celebrating myself I decided to work on some articles outlining the foundations of things nearly any company should do.
Introducing: Startup Security 101 (the absolute basics).
Talking about any infosec related topic usually brings out people who like to start their sentences with "actually...". And there will be a lot of chances to “well, actually...” me while reading through the upcoming articles. Consider this post my general disclaimer to not treat those articles as the ultimate, final truth. It’s supposed to be a starting point.
Some people believe security is an absolute. You either are doing everything known to humankind or everything you actually do is worthless. Some people believe security is the only thing a company must care about until they "get it right". Others will argue that "theoretically" something better than whatever you do exists. Or that there are still holes and potential attack vectors that you missed. And there is a very good chance that some of those people are correct.
But here’s the thing: If you look at most security breaches and data leaks, they are not sophisticated attacks involving three zero day attacks. They are likely based on some very simple bug which in hindsight is so obvious that you question how this could have ever happened with a competent team working on the project. Truth be told the most talented engineers sometimes make mistakes - we all do. Sometimes the system crashes, sometimes the whole database leaks (but one of those two is obviously worse than the other).
What I will be focusing on in the startup security 101 series is covering as many basics as possible to reduce the chance of those kinds of bugs. Will you be 100% safe and absolutely unhackable? No. If I could offer this kind of knowledge I would be writing a book right now and plan which island I am going to buy to park my Bugatti Chiron on.
As you might have noticed by now is that I am always prefixing security with "startup". This is actually intentional (not only because it increases the word count of this post). For startups there are three things which are nearly always true, no matter at which stage they are (except some specific domains):
- you can run out of money pretty fast
- time to ship is important
- dedicated security talent is not a priority
So all advices have to follow a few very specific criteria:
- they cannot add significantly to engineering expenses
- they have to be able to be implemented, used and maintained by software engineers without special training
- they cannot require days and days of work to do so
Focusing on the basics that cover the most common problems means that there will be gaps in your security concept. Therefore you have to treat security the same as your product and your company. It will evolve over time, it will need more attention and it will require you to think about problems you have not had at an earlier stage - but it has to be there from the beginning for this to happen. This is a very good problem to have, but it also means you will require additional, specialised engineers later on.
The articles will not follow any specific order. Most of them, except some which will focus on outlining a more general problem, will have actionable advice for a specific topic and hopefully allow you to jump into an implementation phase with minimal additional research. I will also try to provide guidance on how to obtain additional resources and information leading from the bare minimum coverage you should have to an industry best practice version - if something like this actually exists is a topic for another post.
Security is a process. Doing it right is often expensive and time consuming. But this should not discourage you from doing smaller pieces and going for easy wins. They will accumulate and will make sure you are in a better spot than without them. And in a way better spot than many of your competitors who do not think about security at all.