Do you think about security while making your products? 🔑

Question

I picked "Maker Mindset" topic on purpose :) I carefully review most of the products that I like and comment on here for vulnerabilities or security flaws and the result is not good. Yesterday I discovered a big problem in one of the products for example allowing attackers to exploit it. (I have notified the makers of course)

So my question is - as a maker - do you think about security at all when you design and implement your idea? Is this one of your checkpoint items as good UX, nice design, value, etc?

Stefan Morris · Accepted Answer

Absolutely. Security should be top of mind for anyone creating a product. I've tried to follow best practices, however I'm no security expert so interestingly enough I have a meeting with a friend today to review the security of my product. I actually plan on getting certified for my CMS SaaS.

Apart from hardening your application, I think it's also important to be sensitive to personally identifiable information - if your application does not need additional information, it's best to not capture it. From a UX perspective this also keeps your forms simpler and avoids having a bunch of  "optional" fields in your application.

Great topic!

Now I wonder who's going to address the importance of proper documentation? 🤔

Krasimir Tsonev · Answer

I would say yes. Even tho nowadays most of the implementation efforts are shifted to third parties so we (the developers) don't do stuff on our own. We just consume APIs.

Even in my personal projects I tend to protect assets and user's data.

Jonathan Massabni · Answer

Security over design and adding functionalities anytime! If we don't handle it from the start it'll add up quickly and become to big of a task to come back to it. 
To a certain degree, Quality and Added Value of a product could come before because it starts with answering a need. But definitely security before launch

Marin Petrov · Answer

Indeed I have seen many products with obvious vulnerabilities and have always asked myself the same question. I've only developed 2 products in my life and for both of them were extremely important to get the security right (which is not easy or obvious at all!) For one of them, we hired an external company to make us a security audit and fixed all the vulnerabilities that were discovered. There is simply no way to catch everything as a developer so hiring an external company to do it is probably the easiest way to deal with this.

Jonathan Massabni · Answer

@bogomep I’m no security expert unfortunately so I understand other makers that don’t have the resources at the beginning.

If starting from zero : with my knowledge level I would start with something fun like cleaning up the data structure (remove needless information, hash appropriate values, create solid relationships, etc.)
Then, doing simple things that will help new development like using parameters to fetch secrets, creating layers to handle sensitive data and upgrading libraries.

If starting from a more advanced level : probably prioritize using tools out there like Kenna Security that gives a score to vulnerabilities.

But curious to know the real answer from experts as well!

Stefan Morris · Answer

@bogomep I've met with a security expert and what I think I'm going to do is develop a roadmap for my app to be secure and compliant. I don't think I'll get certified unless I need to (if a client asks for it and it's worth landing them) but I will focus on getting all the pieces in place so that I am ready when I do need to.

Mario Camús 🤓 · Answer

I think we tend to focus way more on features, UX, design and other stuff rather than on security. But I think that on early stages is not that important, right? I'd like to know what other people think

Nik Shevchenko · Answer

@jorcus @bogomep Also, most startups don't have "security process", maybe some bullet points like using 1Password.

Bogomil Shopov - Bogo · Answer

@troll_lock Thanks Marin! There are tools that could help you to start - like a basic SAST or DAST scanner and a basic Threat modeling exercise, but I like that you think about that as a maker which I believe is an exception.

Nik Shevchenko · Answer

For every founder who faced some security problems in the past, this becomes important. Otherwise, most founders & markets would not focus on it.

Ng Fang Kiang · Answer

Yes, this is important to me as an internet security enthusiast. I do a lot of testing for XSS, CSRF, SQL injection, etc. security before publishing new features.

I wouldn't focus too much on the design, as long as it's simple, fast, and useful. Design, UI/UX are just "Good To Have" for me. However, safety is always a must for me.

Stefan Morris · Answer

@mariocamus It's easy to paint yourself into a corner if you are not considering security during the design phase. I consider PII (personally identifiable information) part of security for example, which would involve what data you capture from the end user. To address this at the end of your project would then mean you have to go back and alter your input forms and functionality.

Kalo Yankulov · Answer

Not as much as we should. Definitely not a part of the process like UX, UI, etc.

Where should we start from?

Stefan Morris · Answer

@bogomep I'm not quite sure? That's one of the talking points in today's meeting. I have ISO and SOC 2 on my list, but honestly I don't know.

MARINA S · Answer

Interesting discussion. Bookmarked.

Do you think about security while making your products? 🔑

Replies