Why startups should be focusing on security from day one
Thursday, February 18, 2016/
Security mechanisms like encryption libraries are not just critical for big corporations like Apple to protect users from government and hackers – they’re also crucial for startups.
Startups need to train up in security during early product development to save themselves from trouble later down the track, Fastly chief security officer and former Mozilla CSO Window Snyder says.
Online startups should seriously consider making a small investment in security training as early as possible, she says.
“Anytime in security training can improve your team’s ability to identify security vulnerabilities and eliminate them early on,” Snyder tells StartupSmart.
This security awareness during the initial design stage can help address key architectural issues before an “entire rewrite” of the product is required to move forward, Snyder says.
“I’ve certainly seen some of those and they can be really painful,” she says.
By addressing security concerns and potential problems in the design process, Snyder says making changes later on can be as easy as working on a whiteboard.
It’s awful the other way round, trying to back security into a product once it’s released and has users to take care of, she says.
“It’s worth spending the time now,” she says.
“It will definitely be rewarding later.”
Leverage security mechanisms like encryption libraries
Facing threats from the US government, Apple has emphasised the need for encryption to protect its users from hackers and criminals.
For startups, Snyder says using encryption libraries and other security mechanisms on popular platforms that have been tried and tested will ensure their products are designed to keep users safe.
She says startups should leverage such security mechanisms whether they’re using Windows, Rails or Linux.
“They’ve all got mechanisms that are going to be better tested than anything you end up developing,” she says.
Snyder says the strength of encryption libraries are revealed over time so the most commonly used ones have a lot more resources to keep them secured and are inspected regularly.
“You don’t have to roll your own, which is dangerous,” she says.
Being a security expert working for giant corporations, Snyder says even with all of their expertise and manpower it’s difficult to identify certain unguarded areas in these systems.
“Sometimes we’ll find vulnerabilities that have been in these crypto libraries for years and it’s not because we’re not looking, it’s because sometimes these things can be subtle,” she says.
For startups with small development teams, they’ll be even less equipped, she says.
“So don’t try and reinvent the wheel,” Snyder says.