Questions Founders Asked: Security
Bhairav Patel
Experienced CTO saving you time, money and stress when implementing tech solutions | Podcaster | Start-up Mentor | Fractional CTO Services
I was talking to someone the other day about how much I hate to write articles and blogs (that's why I started the Atom Ventures Podcast) and then I realised that most days I end up writing long emails because founders ask me questions and I answer them as best I can in the time I have available.....sounds like a blog right?
I therefore decided to start "Questions Founders Ask"
The idea is that if I get asked a question, find myself writing a long email, I'm going to share that email with others - not because I think I know it all but precisely because I don't
I'm hoping that what I write is accurate and if not, you have the comments section to correct me!
I'll also tag people that know more about the detail than I do to set the record straight
So, I was asked these 3 questions by a founder:
"It would be good to know your thoughts/recommendations for the below:
1. Digital security for the web application
2. Ongoing cost management for a tech product
3. Security concerns that a non-technical founder tends to miss"
Where do I start? Bearing in mind that I don't know much about their idea / product and that this was pro-bono help that I was offering, this is what I replied:
@tampatra via Twenty20
Web Application Security
This is pretty well worn territory and there are plenty of online resources that can guide you on web application security best practices but the best starting point is the OWASP Top 10:
https://owasp.org/www-project-top-ten/
This is a list of security concerns / vulnerabilities that are updated regularly to keep up to date with modern threats.
At the base level you should be ensuring the following things:
- Least privilege access to data within the web application i.e. if you have a backend application then you should ensure that people only access data they need
- User access policies i.e. make sure that only people that need access to parts of the architecture have it i.e. not everyone should have access to the DB, DB roles should be least privilege
- Strong password policies
- Guarding against bots using things like Captcha
- Securing API end points (the recent Parlor attack shows you what happens with poorly secured endpoints)
- Data encryption at rest i.e. encrypting data within the database, especially personally identifiable info
- Protecting backups
- Understanding the vulnerabilities in any 3rd parties you are integrating with
- Storing passwords in key vaults
- Ensuring the code itself doesn’t have any vulnerabilities (you can use code scanners to help out here)
As you can see there is a lot here and you should definitely have a penetration test of the application before you start taking money
@andreyyalansky19 via Twenty20
Ongoing Cost Management
This is really a “how long is a piece of string question”
Ongoing costs are all dependant on the architecture that underlies the platform but broadly speaking your costs are broken down into:
- Infrastructure costs
- Development / maintenance costs
- Licensing costs
To manage your costs around infrastructure I’d recommend using one of the cloud service partners such as Bytes of SoftwareOne as they give you tools that give you good visibility into your costs and can help you manage them. With infrastructure don’t forget that there are costs not only for servers, databases etc but also for moving data around so be careful, especially when you have a streaming service that those costs don’t escalate quickly.
Development costs depend on what it is you want to develop and 3rd party costs are dependent on how the platform is architected
@PentiumIII via Twenty20
Security Concerns that non-tech founders miss
This is an easy one. Most founders don’t think about operational security i.e. employees, passwords to things like emails, file sharing etc
People spend a lot of money securing their web application and not a lot of time thinking about how they can secure the activities in their day to day business.
Are you sure that the Excel files you sent out are going to the correct people? How do you know that IP isn’t stolen by an internal employee, who are you sharing files with? Who are you sharing meeting information with? What productivity tools are you using and do you know what they are doing with your data?
For any seasoned CTO, you know that there is much more detail you can go into, but I thought that this was good enough for a starting point.
What do you think? Comments welcome!
To speak to us feel free to reach out to us via the following means:
URL: www.atomcto.com
Email: [email protected]
Twitter: @atomcto
ICS Commercial Lead - NIS 2 / IEC 62443 / ETSI 303645 / PSTI
1 年In relation to point 3, I would say not understanding risks in the supply chain, because as NCSC describes, 'vulnerabilities can be inherent, or introduced and exploited at any point...', so it is a journey, not a destination.
This is a more pragmatic intro to the topic than sending a founder the NIST CSF framework, not that I would do that ;)