Ask HN: As a founder, what do you wish you knew about security?

25 points by ygjb ↗ HN
The reason I ask this question is because I have joined an accelerator program as a security mentor, and would like to focus in on the areas that are going to be of best value.

This question relates to physical, network, application, and operations security, as well as business risk management.

Thanks for your feedback!

2 comments

[ 2.5 ms ] story [ 17.1 ms ] thread
This is some fairly rough feedback, but:

First, I'd like to simply mention that privacy and security are two different but very important things.

The difference is that while your severs may be "secure" from hackers, if you do not take care of data or user privacy people within may have access to sensitive data. It is important to maintain a high threshold for potentially sensitive data.

Some applications that pose privacy risks are Dropbox or Google Drive. Neither encrypts your data, but it is secured and kept private over-the-wire via SSL 256-bit encryption. It is true that both Dropbox and Google have access to your files, but they maintain a privacy policy and hopefully internal policies and systems to prevent just anyone from gaining access to your documents.

Network security in applications is fairly standard, nowadays the Internet can handle SSL pretty well, and with SPDY picking up adoption there is no reason to not enforce SSL for all connections to an applications.

Application security comes in a few ways. As a developer, you want to protect your IP, give the user good performance, but make it hard for jerks (yes, just jerks) from removing any DRM/licencing/registration processes you may have on applications. These types of things are common on mobile apps, it is easy to find re-released mobile apps for Android and iOS devices online if you know what to search or a good repository for it. Application security comes in the shape here that you need to enforce a licencing system that works for you. Many pieces of software out there assist with with, so you may not want to reinvent the wheel, but adding some custom processes here usually results in a good solution until someone with some knowledge has some free time and doesn't want to spend money.

Application privacy is important on mobile and desktop applications as well. The user data you store usually is not as-at-risk as you think, and many developers ignore proper processes as "it's up to the user to keep their device safe." Banks obviously do not feel that way, luckily. Games probably shouldn't bother. Social apps might want to step it up though. If you lose your device a lot of data is available from social apps and applications should simply should have processes to fix this. Twitter and Facebook allow users to do this remotely by rejecting/revoking an application's access to your data, but applications often store data on devices for offline viewing. Therefore this data should would be focus for a developer's concerns.

Encrypting user is a good idea, but is hard to implement unless the team is good with security. Encryption also comes in many levels. It's a very good idea to encrypt your server hard drives or databases, this prevents a lot of low-level attacks onto your system. Key management is therefore also important, and is is where things will get complicated. Encryption is also important for user-entered data however, beyond just encrypting your databases. Because database-encryption is slow, it usually isn't a good idea anyway. Therefore instead of doing that, you should just encrypt the user-entered data that is sensitive.

Network security is unknown to most web developers, who believe that throwing an SSL certificate up makes their applications secure. Obviously, as I mentioned, this helps. However network security comes in many other ways. Applications hosted on shared servers, switch servers. There are so many security risks in shared servers that attempting to control it is not worth the time. This does not include VPS systems however, assuming you are the only root/sudo users authorized. On whatever system you are on, you need to enforce a whitelisting firewall. Web servers should never use a blacklist for this. Most web servers only need a few ports open, so only open those. It's also common practice to leave SSH open, and a lot of people believe that by switching the default port it's magically okay to do so. It's not. Port scanners exist, and are easy to use. Your SSH should only allow connections from authorized network...

I think for me this boils down to 'Unknown unknowns' First I need to have a high level overview of all the different areas that are impacted by security. Then, I need to know which ones are 'mission critical' so to say. Once I kind of know the big picture, and where I should focus my efforts first, I can go and learn by myself and then come to you when I hit bumps in my understanding.

For example, I am trying right now to build my first web app. I know certain 'things' eg don't store user passwords in plain text, don't try to build my own crypto solutions etc. But I have no idea of what possible attack vectors exist, which ones are critical, which ones are covered by using best practices, good frameworks etc. In other words, I have no idea where to start, literally because I have no idea! I am currently going through the matasano challenges, but I can't (at the moment as I have just gotten the first set of challenges) for the life of me see how I should apply this new knowledge to building a web app.

Regarding your question, I see you have maybe already outlined the sections of your high level overview presentation: 1: physical 2: network 3: application 4: operations 5: business risk management

But in all honesty, I really don't even know enough to answer you: What do I wish I knew? Because I didn't even think about those 5 areas even.