“Without Security, you have no business.”
Security needs to be the number one priority for start-ups. Amazon CTO Werner Vogels stated at the Munich Founder Conference Bits & Pretzels why it is so important: “Without security, you have no business.”
Statistics show alarming numbers regarding security. For example, the Web Application Security Report 2016 shows that most websites are vulnerable most of the time. An open critical vulnerability takes more than 300 days, on average, to be fixed.
For startups with limited resources, resource planning is always a balancing act. Allocating resources for security, accounting, legal stuff, or data privacy means less time to focus on important things like product development or sales. As a young company, we face the same problems. As with all the topics, the founders need to have some security knowledge. Here are some questions founders need to be able to answer. Based on the answers, some best practices can already improve the security of a start-up a lot.
- What are the important assets you need to protect?
- Who needs access to which data?
- Which attack are scenarios likely to happen?
Only if you know what you need to protect can you take appropriate action. For a hardware start-up with complex technology, the security aspect looks quite different for a SaaS or e-commerce start-up. Knowing which people are involved in which processes is important to be able to limit access. It is just the baseline to structure access to the data. And if you have some ideas of what attackers want, you give you good information about what you may need protection against. But, again, this heavily depends on what you need to protect.
For many SaaS startups, the answers to the questions may look something like this:
- We have some algorithm or data which we offer online to our customers. We do not want somebody else to gain our private algorithm (or data) and our customer information.
- Our tech people need to know what our software is doing, and our sales team needs to know the customers.
- Attackers may try to hack our website to steal information from us or get access to our services (and then steal information).
As you probably cannot afford some expensive security coaching or audit, use the following best practices to increase your security as a crucial first step.
Minimize Attack Surface Area
Everything available publicly may open an attack vector. Therefore try to limit the public endpoints and secure them properly. For a first step, limit access to all your servers by only allowing login with an SSH key.
Establish Secure Defaults
You may choose to give your users options. Wherever options relate to security, make sure that the defaults are the secure version. For example, you may provide webhooks for your users that are only secured by a hash value as an authentication measure. Do not provide a webhook for everybody by default, but let your users generate them only if they need them.
Principle of Least Privilege
Try to be as restrictive as possible. Just imagine somebody managed to break into some part of the system. In this case, the damage he can do should be as small as possible. Try to grant your services only the privileges they really need to do their work. For example, do not use the root account of your database to connect your web application. Instead, add an extra user for the application with only read/writes access on the tables it really needs.
Principle of Defense in Depth
Even if one line of defense is good, more is better. For example, not only rely on users to log in with username and password but also to add a Two-Factor Authentication. Make sure that users are always properly authenticated before granting access to sensitive information. This prevents anonymous attacks and raises the bar for an intruder.
Programs will fail. Use exceptions in your code to ensure that your code does not allow an inconsistent state of your application. Check those security routines such as authentication are correctly passed before granting privileges. Think of the following code:
f not used.is_authenticated(): fail() return show_content()
Now think of a problem in the fail method. If it does not work correctly, the show_content method is run. To increase security, it is sufficient to switch the statements. Now an error in the fail method has much less effect.
if user.is_authenticated(): show_content() return fail()
Treat all Input as Evil (and Don’t Trust Services)
All input that comes from a user may be malicious. Do not rely on your users to be nice to your system. Use sanity checks to ensure that the data you get from your users does not contain anything malicious. For example, use prepared statements or model bindings when performing database operations. Most frameworks will support you with these programming paradigms and prevent things like SQL injections.
The same is valid for the input you get from third-party services such as your payment provider. If they have a problem with their security, this should not affect you. For example, check if their payment confirmation matches the data you have sent before allowing customers to use your service.
Separation of Duties
Users or services should only be able to do the tasks which are needed in their role. For example, a normal user should not be able to log into an administrator interface. An administrator should not log in as a user and use the software on their behalf. Similarly, a service should have its own database where it can log in to. Ho should not have access to databases from other services. This goes hand in hand with the Principle of Least Privileges.
Avoid Security by Obscurity
Most things get better if people have a look at them. The security of your system should not be dependant on some important information that is not known. For example, an administrator interface available via a secret URL without further security checks is a bad idea. If somebody by accident accesses the site, he can really screw your system. Still, you can keep the URL secret, but this should only be some add-on and not the system’s security measure.
Use standard algorithms
Do not create your own encryption algorithms. Good encryption algorithms have been undergone thorough reviews. Competitions chose encryption standards based on the research of mathematicians and cryptographers. Thus, even though you may have pretty smart people in your company, they likely make mistakes when implementing their own encryption. The same goes for hash functions, (pseudo) random number generators, and so on.
Keep Security Simple
The more code you have, the more possibilities for attack surfaces. Even if it may be hip to use many different services and a complicated design, this comes with the drawback of complexity. Just keep it simple for security’s sake.
Fix Security Issues Correctly
Always appreciate it when somebody tells you about a security problem in your software. Do not think about pressing legal charges or prohibiting talking about the issue. Just fix it correctly!
Most people who will tell you about a vulnerability do want to help you. Just ask them how they found the vulnerability and support them in finding the problem’s cause. Make sure that you implement the fix in all affected parts of your software. For example, a login mechanism problem may affect the user software and an administrator interface if the login code is shared. Test the fix thoroughly and, at best: Automate the test so that you will know if the problem arises again.
Big fat growing cybersecurity ebook
This ebook shows best practices and prevention techniques for keeping vulnerabilities away and securing your web apps.
Free Security Check
We at Crashtest Security provide a security scanner for companies developing web applications. A free security scan on our website can already give insight into the security and show security issues. Check out the free security scan here.
Oh, and if you like what you see and wish to integrate our tool into your dev toolchain, know that we have a special startup package offer.