Poll: Does your startup try to write secure software?
I would like to capture the general perception about secure development in startups.
Please, also keep in mind that even if your startup doesn't process users' private information (such as financial data or email), your website/application could still be hacked to distribute malware, either exploiting users' browsers or inserting trojans to be downloaded.
For instance, I browse sites I trust with javascript and flash enabled in Noscript, increasing the surface attack.
Also, users are taught to avoid only untrusted websites/applications - and they could blindly trust your startup downloading trojans.
17 comments
[ 3.6 ms ] story [ 41.2 ms ] thread(If you're going to make a poll, I would recommend choosing answers which don't presuppose so much)
The logic for each answer is this:
Answer 2. If you claim to care about security, you should understand the security implications of what you are doing and you are an expert. You can take care of it on your own.
A 1. If you care about security and you aren't an expert, then you don't really understand all security implications of what you are doing and should be basing your judgment on the recommendations of those that do using a systematic process created by experts. You don't need to hire a consultant to do it. You can just buy a few books or read it for free in the Internet.
A 3. If you care about secure software but aren't an expert nor use a systematic process created by experts, then you aren't checking all security implications of what you are doing, but instead checking only for a few generally know flaws.
A 4, 5, 6. You don't understand the security implications of what you are doing and refuses to take the recommendations of those that do.
If this news recommendation site is being constantly hacked to the point in which it has more malware than a porn site, then the developer should consider making it more secure. Otherwise users would not visit it anymore, unless the owner starts to place some hot picures to serve together with the exploits.
Indie developers need to get better at writing software that is secure by default, but they do not need the whole process-driven juggernaut that Microsoft runs internally with things like SWI.
So, I asked because it sounded strange to me that a two-person news-recommendation startup would be spending serious time on security, as opposed to figuring out ways to make money on their property.
The guys at Wordpress and Jommla beg to disagree.
It depends on how popular it is. If the open source version of Reddit becames as popular as Wordpress, then it certainly would get hacked in that manner.
Most startups aren't indies.
For instance, Plentyoffish.com was a ONE person startup not so long ago with revenues of 1MM and 1B pageviews. Just imagine what a news recomendation site with TWO persons would be able to do. :)
You just need to think about the security implications of what you are going to to, do it keeping in mind all that could go wrong, check again what you have done, and keep a spreadsheet registering how well you are doing. And do it systematically.
If you do, I can ask the moderator to delete this one.