Ask HN: How much do you care about security while building an MVP?
I'm in a situation in which I have to decide between security of the application and shipping fast. The idea that we're working is not yet evaluated but we believe it has the potential to go viral. What would be the ideal thing to do here, build the product perfectly or to ship fast and fix later?
16 comments
[ 2.7 ms ] story [ 51.1 ms ] threadSecurity is really, really hard to back-patch - some would say impossible. If it's not there at the beginning then you will either never have it, or you will have to do a complete re-write.
If you have no idea if this MVP has any promise, I'd seek the answer to that and do the barest of minimum security, provided you'll have the willingness to do it right immediately after getting any traction. That can be easy to say and hard to do, of course.
Huge difference between terribly stupid and realistically aware of pros and cons.
If you will be handling sensitive people information then you need to make sure that those are safe. Last thing you want is you new startup to be easily exposed and get a beating.
If someone might just game the site and get something that wont affect anyone else, then you might ignore the fix for a while.
But you should try and build whatever you are with a relative safety net. You cannot have bugs and holes in your system that will expose the system to hackers that will take over everything. Cause then it will be game over for you. No one will trust you afterwards.
Application-level stuff like enforcing that User A can't modify User B's data takes no time to implement, and should flow out into the IDE as fast as the actual code for the feature if you keep it in the front of your mind. It just wouldn't feel right to write the IF block that checks whether a record exists without also checking that its userID matches up with the current logged in user.
Similarly, database constraints all go in at design time. The schema isn't ready until bad data won't fit. No extra time needed there either.
Beyond that, you're into stack and infrastructure security stuff. Pick your platform well and you get most of it for free. Good luck trying to author a SQL Injection bug in a compiled language with parameterized queries, for instance.
Really, it's all about having built things in the past, knowing what sort of issues need worrying about, and getting into a habit of never half-assing things. If you do that, you have to go out of your way to mess things up. It'll feel so wrong to cut corners that it'll probably actually slow you down to do so.
Security is a non-functional requirement [1], not a feature. It is not something you can prioritize on or not. Fortunately getting the basics right on the application level is not that hard, there are already many useful tips in this thread.
[0]: https://news.ycombinator.com/item?id=9369642
[1]: http://en.wikipedia.org/wiki/Non-functional_requirement
I feel somehow though that the line between functional and non-functional requirements are not as well defined when dealing with user data. There is an expectation (even if unrealistic) that the confidentiality, availability, and integrity of the user data will be preserved. Twitter though can serve as a counterpoint to part of this argument (availability).
Are there examples of a successful MVPs that dealt with user data and failed the confidentiality or integrity requirements?
I think there are many examples of successful products that had and/or have security issues. Think of all those apps that transfered user data over insecure connections.
The problem with those non-functional requirements is, that they are not all equally important and their importance varies from product to product. They are often ill-defined and hard to fully formalize. Nevertheless I think there are obvious "industry standards" (Update your stuff, encrypt at least connections).
Programmers and managers are people and mistakes happen, but just ignoring security altogether is negligent and one should be held accountable in the case of damages. Stuff like Sonys ten year old Apache getting hacked simply must not happen.
The federal privacy laws in Germany are quite good in that area [0]. It is explained well how you have to handle other people's data:
Unfortunately I can not find the corresponding paragraph in the part where the punishments are listed. Of course, someone has to drag you to court anyway before anything happens and unfortunately: How is it handled in the US?[0]: http://www.gesetze-im-internet.de/englisch_bdsg/englisch_bds...