Attention Startups: Don’t Ignore?Security

A well-known motto of startup culture is “move fast and break things.” But by hampering after fast growth, startups often overlook security. Whether it’s by dependence on insecure systems or internal vulnerabilities, many startups have caught backlash for not giving cybersecurity the attention it deserves:

• The mobile app Wishbone (a social app for teens) recently had its user data hacked, including emails and phone numbers
• Thousands of unsecured MongoDB instances were wiped out or held for ransom in January
• Many startups recently had sensitive data exposed by Cloudflare’s internal security bug Cloudbleed

Vulnerabilities can have negative effects on a startup's position and growth. These range from reputation loss, to disadvantage in fundraising and acquisition (many VC firms audit code at the Series A stage), to legal entanglements. Just ask Yahoo -- their acquisition price dropped by $350 million after they disclosed a major security breach.

As the founder of Startup Founder Panel, I recently had the opportunity of interviewing top cyber security experts and startup founders at WorkBench, an enterprise VC firm. Below is a list of some compiled best practices you can use to ensure your startup is secured.

Your Tech Stack as a Safeguard Against Attacks

In Paul Graham’s classic article on how his company leveraged the programming language Lisp over its competition, he writes:

In a startup, if you bet on the wrong technology, your competitors will crush you.

Although Graham was focusing on how a startup’s tech stack can influence speed, it also has an effect on security. In regards to programming languages, having access to a linter and type checker can reduce bugs that make it into production. In considering a database, make sure that you can secure it to specific IP addresses and enforce validations on the data that gets entered. You also want to ensure that you use encryption at rest and only send data over secure connections (https).

When looking at web frameworks, you should examine their security features and how well-maintained their libraries are. How do they prevent cross-site scripting (XSS), cross-site-request-forgery (CSRF) and SQL injection? These are all important things to pay attention to.

When you’re in “hackathon mode”, it’s okay to let some of these things slide, says Mario DiNatale, CIO of Spectrum Virtual. “But when it comes to actually running a company and having paying customers, then you have a moral and ethical obligation to provide them with safe constructs.”

Eric Typaldos, CTO of Hive, says that startup founders may want to target security goals and check in every period.

“It’s extremely important that you plan important milestones, especially around security, scalability and that type of thing when you’re clear headed. Most of the time in a startup, your head is down and you’re sprinting. You need to poke yourself at every set period of time to bring your head up and ask “am I following what I planned when I was clear headed?” Because if I’m not then I need to readjust my course.”

Besides your basic tech stack, consider the open source libraries that you use as well. In many cases, these may need to be audited to pass compliance standards. Steven Schwartz, COO of Cyberfense, explains:

“Open source software has tons of advantages, even just from getting you from A to B in such a quick manner. But you really need to do your diligence in evaluation what software you’re using, because there are licensing and vulnerability issues.”

User Authentication: Best Practices

One challenge for every startup is how to store and use customer information. There are several strategies for user authentication and it can be difficult to determine which is best for you. These range from roll-your-own online tutorials, to popular open source libraries that require configuration, to 3rd party services (for example, Auth0) that store user data and handle authentication for you. Which should we use?

Some experts advise against rolling your own authentication strategy because you may not have the resources as a startup to patch all vulnerabilities. Using open source libraries can also be problematic since their breadth of use makes them a big target for hackers. And 3rd party vendors? Even though they may be following all best practices, the liability for your user data still lies with you, not them. As Steven Schwartz explains:

“Even if you are using a third party to host that information, you are liable if that personal information came from you. You are going to get sued, ultimately, if there’s a breach. Then you are going to sue the third party for their errors and omissions, but that’s something to consider.”

Ultimately, each decision comes with tradeoffs. It’s important to acknowledge the risks associated with each and make an educated decision. Ultimately, your user data is your responsibility, so make sure to do your due diligence.

Helpful Tips for Increasing Your Security

Finally, here are some tips that can help make your startup more secure, with some small effort:

• Use a password manager such as LastPass or 1Password. You can then easily share account information between your co-founders and generate unique passwords for every site.
• Enable 2-factor-authentication on all major accounts — Github, AWS, Namecheap, social accounts, etc. Wherever possible use the team functionality on your accounts so that all users have access.
• Don’t store sensitive data on Github, ever! It might seem harmless, especially if it is a private Github repository, but this should be avoided as much as possible.

Conclusion

Startups can position themselves ahead of their incumbents by putting the right focus on cyber security. This will pay dividends in later growth stages, creating a culture that produces well-vetted code and reduces the risk of a hack or security failure.

How important do you think cyber security is for startups, and why? Let us know in the comments below.

Follow @tomgoldenberg on Twitter.

If you enjoyed this article, please recommend and share it! Thanks for your time.

Thanks to Mirza Joldic for editing.