Startups slack on security
By Gabey Goh July 14, 2014
- Too many startups and app developers build first and secure later
- Security should be a priority for any developer or startup from day one
A SECURITY professional once sent me a message in response to a story I wrote about a corporate cybersecurity breach.
“You know, sometimes it’s not completely the fault of the company security guy. The products that employees insist on using like consumer or third-party apps are inherently vulnerable,” he said to me.
It was a very valid point, and I promised him that I would “balance things out.”
So today’s column is devoted to an on-going gap in the never-ending cat-and-mouse game of cyber-security – startups and app developers who build first and secure later.
This is an especially acute problem in the world of mobile apps.
A recent HP Security Research study found that 97% of apps tested could access at least one source of private information, 86% of apps failed to use simple protections against modern-day attacks, and 75% of apps do not use proper encryption techniques when storing data on a mobile device.
Speaking with developer friends for insights, all insisted that they do prioritise security but all were also quick to admit that they were probably exceptions to the rule.
“It’s quite true that many developers and startups don’t think about security. Look at the nature of startups themselves – they need to push things fast and get things out of the door quickly. Securing every possible attack vector just slows things down,” said one freelancer friend.
Jermaine Cheah, an independent developer, pointed out that security wouldn’t even be in the top three of many a startup’s priority list.
“The first concern is speed of development, that janji work [as long as it works] mentality. After which, startups foresee that things would change and choose to take the ‘easy way out,’ which evolves into a bad habit.
“Also, startups are struggling for survival, so the thinking is ‘why care about security?’ Focus on getting the dough in first,” said Cheah.
He said that the lesson learnt in his own experience, was that ignoring security amounted to doing double the work, as it is “all the nitty-gritty details” which make an app secure.
Francisco Jimenez, an independent developer based in Austin, Texas, agreed that security isn’t a priority for many of his peers, but pointed out that “developers don’t do it intentionally.”
“They are thinking of ways to always improve the product but the life of a startup is held by timelines that defy human capacity.
“Time as a constraint leads to priorities on product development; and security, not being fundamental for core functions, is mostly forgotten … not devalued or overlooked, but simply forgotten,” Jimenez said.
Cheah argued out that it’s also a market-demand issue. “With security awareness here in Malaysia for digital security still quite low, the thinking is, why provide security when it isn’t asked for?”
That lack of demand for security was a view echoed by Stefan Tanase (pic), a senior security researcher from Kaspersky Lab I recently interviewed, and it’s a global problem.
“With small to medium websites and apps, they’re usually developed by one person or a small team. They get a list of features from a client and have to implement them fast and most of the time, security is not on the list.
“The thing is that customers are not specifically asking for security and while some developers may be security-savvy, all of them don’t have the time,” he said.
Tanase believes that part of the problem lies in education, with many young developers graduating knowing how to code, but not how to code securely.
“It’s important to teach young developers to code securely. They spend four years in university learning in a bubble, and once they get out into the world and start creating insecure apps, that’s when issues arise.
“In an ideal world, all customers would be savvy enough to ask for security, but the problem then is, the more security you want the more complex the solution or product gets,” he said, alluding to the adage that “convenience trumps security.”
Meanwhile Jimenez noted that while security is important, when a startup’s first batch of users is going to be a small group, there’s not much to worry about.
“But the problem arises when one stops being a startup and starts growing rapidly, especially when experiencing ‘overnight success.’
“One will not notice at first that security matters until the first attack happens, and that chance of doing things right fades away,” he said.
Indeed, one only has to look at the security vulnerabilities affecting popular apps such as WhatsApp, and of course Snapchat’s high-profile data breach this year that exposed 4.6 million user names and phone numbers despite earlier warnings from the security community.
Developing products in a secure manner must become a priority for any developer or budding startup from day one, in spite of the multiple challenges in keeping things afloat during the early days.
Do not underestimate the ingenuity of enterprising hackers seizing upon your product’s popularity for their own personal gain.
And with more public awareness about the risks involved in living a digital life, do not expect your customers to remain loyal when the trust you have built with them is broken with a security breach.
So to developers and startup founders out there, ask yourself this when you develop your app: Are you thinking about security?
And, for the love of all that is sacred in this world, don’t store passwords in plain text!
This column originally appeared in the Metro Biz section of The Star and is reprinted here with its kind permission.
Snapchat praises itself over giant phone number carelessness
Can we please start taking cyber-security seriously?
‘You may never want to go online again’
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.