Someone could share your own experience? I want to understand the mindset, the necessity of "Oh, I need some security guy to help me now". This moment happens only if your company was hacked? Happens when you customer ask for that? Is the fear? Please share your own experiences.
It depends on the type of product you are building. In most cases, your tech lead should know the standard security measures and implement them from day one. That includes proper authentication, authorization and access control. Things like
- don't store the raw password in the database
- implement an expiry period for session tokens
- don't commit api keys to the repo
- sanitize user input to prevent JS injection
- use a ORM so you don't need to worry about sql injection
are necessary from day 1 and there is no reason to be overlooked. Also, someone having access and reading your source code and fully understanding your internal system logic should not be able to find a way to get access to a piece of information from your database that they are not supposed to. That's not acceptable at any time, unless your product is just a prototype and not in production. So as long as your are aware of these basic security measurements, you are good for a long time.
Once you are getting serious traction and generating revenue a senior generalist tech guy in your team should be able to handle many of the standard and mainstream security measurements. Most of the security holes are results of a developer neglects or outdated softwares. They can be reduced by peer reviews, pair programming and automated testing, making sure you have a process to keeping everything up-to-date, using an infrastructure that provides it out of the box, like amazon RDS, or Heroku and outsourcing the storage of sensitive information like Credit Card info to third-party platforms. Most problem in these stages are caused by bots and generic malware. Things like someone submitting the sign up for hundred thousand times and can be prevented by tools like recapcha or requiring email confirmation, etc. Still no need for a security guy in your team to have these in place.
Then it comes a day that your product is enough popular that a downtime in the system or a data breach is a very bad PR and would hurt the company tangibly. You are afraid someone, a hater, a competitor or for any other reason might be interested to take malicious action/attack against your system, things like DDoS attack, finding a breach in your platform or stealing credit card information. It's usually a stage of a company that they have hundreds of thousands, or millions of users,That's the time you would need a security guy in your team. Your tech team is probably ten or more people and doing the math, paying the salary for such security expert pays off to prevent such financially advert impacts on your company. Remember, most hackers do not do it for fun, there must be an incentive for them to harm your company. Hacking is not easy either, it takes time and expertise, so unless you can think of a reason that someone can benefit from hacking your system, there is no need to panic.
If security and encryption is your competitive advantage, one of your main features, or if data and privacy is inherently sensitive in your platform, then you definitely have to have a security expert in your team from day one: e.g. you are building an end-to-end encrypted messaging platform, a payment gateway, a blockchain etc.
I couldn't agree more to what @ Sina said you need to have security covered from very 1st day. i work for small software house for part time and we had a security breach so we deployed EMS (enterprise mobility security) which really helped us a lot. you can read more about EMS but here's the overview:
I'm a software engineer and security is the first thing I address when starting a new project. Both Sina and Tess have very good points about it. Yes, it can be considered a chore, but well worth it.
Consider this analogy:
You are the leader of a village and surrounding your village are other friendly and not so friendly villages. You could build a wall to protect your village, the wall being security. Should you build a wall around your village to keep out the not-so-friendly villages? It would be an expense and inconvenience up front to build the wall, but it would only be done once. Without a wall, your village could be repeatedly raped and pillaged. As a leader of the village, which would you do? Personally, I would build the wall, but not everybody shares my opinion.
Thank you for both answer.
There is not %100 secure system. Today every system or assets are target of hackers. So we should evaluate our system security risks. We can do with a risk analysis. After detecting system security risks we can chose one of the following choice:
· Accepting risks an living with risks
· Taking some precaution for reducing risks
· Rejecting to use system
· Outsourcing risks
Security is a mindset, and should always be considered. Who wants a child being abducted their conscience? That’s a quick example of physical security. How about someone stealing your customer list or credit cards from you? That could easily be an employee with designs on taking advantage of their position. It happens every day.
So the answer is the moment you decide to go into busines. Obviously the bigger your company gets, the more you can do but best practices start day 1