Encrypt Your Data: A Data Breach is Never a Good Problem to Have.
If you’re not getting hacked, then you’re probably not important enough to matter. For the few startups that do make it, you’re going to get unsolicited feedback from the security community. The attention will be especially early if you go around boasting how secure you are.
You mine as well just paint a giant red bullseye on your product.
But do you seriously think that when the hackers come knocking at your doors, then that will be an excellent indicator to prioritize that backlog of good-problems-to-have in security? Rush out and hire a security expert or two? By then, it is too late. Your credibility is on the floor, crying. Or laughing. It doesn’t matter. The privacy of your user’s data is at stake. The viability of your company dangles in the balance between CCPA and GDPR and HIPPA and whatever your new hacker friends are about to do. And here, you thought you could power through it? Will it away? Hit it with a bat until it starts working? Well, “working” is not the same as “working securely,” which several startups keep on learning the hard way.
Ignoring security Doesn’t Make You Focused, It Drains Your Credibility
Whenever we build the first version of anything, we tend to ignore security. Even if we intend to make something secure, we often start with something that works. It’s a beautiful place to start. So, why not ship? You’ll have no customers to start anyway.
The world’s ransomware artists, and botnet developers, and white hat security researchers trying to make a name for themselves, are all praying that you release it, just like that — no security review. No encryption. No pen-testing. Go ahead, focus on that product-market feedback loop. Optimize your widgets and dingdongs for optimal product-market fit with early feedback. Land that next round of funding after 10x’ing your metrics. Because after all, ransomware attacks and bug bounty can be expensive.
Waiting until security becomes “a good problem to have” doesn’t mean you’re focused. It means you’re optimized to fail.
The only way it’s ok to ignore security, is if you’re expecting no one to use your platform. No one will hack a useless and unknown service.
The same things that makes you attractive by Investors is the same things that makes you attractive by hackers:
lots of users and lots of data.
Ignoring security means you have turned your investor’s stake into a sure-loss since your startup becomes a ticking timebomb. It’s never a question of “if it gets hacked,” it’s a question of “when it gets hacked.” And, preparing for that moment before it’s knocking on your front door is the only way to turn adversity into a credibility win.
Fake Security Is The Most Dangerous Kind Of Security
The software doesn’t matter — people matter. And when people use your app for the purported security features, they are depending on you getting it right. As engineers, as leaders, we take on a huge responsibility when we make security claims. App security may even directly impact the physical safety of a user. And when we fail our users, it doesn’t matter if it’s due to ineptitude or marketing lies, we are putting people’s livelihoods in danger.
For example, on August 24, 2020, whitehat security researchers published an unsolicited security analysis of Bridgefy, a peer to peer secure communication platform designed to be censor-resistant and safe during peaceful protests against hostile state-actors. At the time of publication,
security researchers found was a laundry list of poor security decisions that led to serious questions about Bridgefy’s credibility and security
To summarize, the attacks included:
- Local user tracking
- Participant discovery
- IND-CPA (Indistinguishablility under chosen-plaintext attack)
- Plaintext file sharing
- Padding oracle attack (against RSA PKCS#1 v1.5)
- Padding oracle from timing side-channel
- And both targeted and general DoS
To translate these into specific failures, this allows state actors trying to censor and topple a peaceful demonstration, too, for example,
- Deanonymize users
- Build graphs of users’ interactions
- Decrypt and read all communications
- Impersonate anyone
- Shutdown the network
Maybe these don’t seem like a big deal. Still, if a protestor in Belarus picked up Bridgefy, the expectation is that it lives up to its security claims because a dictator suppressing a democratic revolution makes for a dangerous adversary.