Do you think about security while making your products? πŸ”‘

Bogomil Shopov - Bogo
29 replies
I picked "Maker Mindset" topic on purpose :) I carefully review most of the products that I like and comment on here for vulnerabilities or security flaws and the result is not good. Yesterday I discovered a big problem in one of the products for example allowing attackers to exploit it. (I have notified the makers of course) So my question is - as a maker - do you think about security at all when you design and implement your idea? Is this one of your checkpoint items as good UX, nice design, value, etc?

Replies

Stefan Morris
I fight for the users
Absolutely. Security should be top of mind for anyone creating a product. I've tried to follow best practices, however I'm no security expert so interestingly enough I have a meeting with a friend today to review the security of my product. I actually plan on getting certified for my CMS SaaS. Apart from hardening your application, I think it's also important to be sensitive to personally identifiable information - if your application does not need additional information, it's best to not capture it. From a UX perspective this also keeps your forms simpler and avoids having a bunch of "optional" fields in your application. Great topic! Now I wonder who's going to address the importance of proper documentation? πŸ€”
Share
Bogomil Shopov - Bogo
Products. Security. Privacy. Ethics.
@stefan_morris I couldn't said it better myself :) What kind of a certifications are you looking after for your site if not a secret?
Stefan Morris
I fight for the users
@bogomep I'm not quite sure? That's one of the talking points in today's meeting. I have ISO and SOC 2 on my list, but honestly I don't know.
Share
Bogomil Shopov - Bogo
Products. Security. Privacy. Ethics.
@stefan_morris both of them are really expensive and time consuming. Good luck!
Stefan Morris
I fight for the users
@bogomep I've met with a security expert and what I think I'm going to do is develop a roadmap for my app to be secure and compliant. I don't think I'll get certified unless I need to (if a client asks for it and it's worth landing them) but I will focus on getting all the pieces in place so that I am ready when I do need to.
Share
Marin Petrov
Hacker and Painter
Indeed I have seen many products with obvious vulnerabilities and have always asked myself the same question. I've only developed 2 products in my life and for both of them were extremely important to get the security right (which is not easy or obvious at all!) For one of them, we hired an external company to make us a security audit and fixed all the vulnerabilities that were discovered. There is simply no way to catch everything as a developer so hiring an external company to do it is probably the easiest way to deal with this.
Share
Bogomil Shopov - Bogo
Products. Security. Privacy. Ethics.
@troll_lock Thanks Marin! There are tools that could help you to start - like a basic SAST or DAST scanner and a basic Threat modeling exercise, but I like that you think about that as a maker which I believe is an exception.
Share
Krasimir Tsonev
I would say yes. Even tho nowadays most of the implementation efforts are shifted to third parties so we (the developers) don't do stuff on our own. We just consume APIs. Even in my personal projects I tend to protect assets and user's data.
Share
Bogomil Shopov - Bogo
Products. Security. Privacy. Ethics.
@krasimirtsonev How do you make sure the APIs you use are secure?
Krasimir Tsonev
@bogomep It's a bit of "I trust them". The vendors that we pick are quite big so I expect that they did their homework. Like Google's cloud platform for example.
Share
Lisa Dziuba
Maker & PMM. Built & Sold my startup πŸ¦„
@krasimirtsonev Probably, that's top of the mind for engineers πŸ€”
Krasimir Tsonev
@lisadziuba unfortunately we have to be pragmatic :) I kinda prefer to pay to the smarter guys for what they do the best and I focus on my business case features.
Jonathan Massabni
Product Enthusiast. Travel & Fintech
Security over design and adding functionalities anytime! If we don't handle it from the start it'll add up quickly and become to big of a task to come back to it. To a certain degree, Quality and Added Value of a product could come before because it starts with answering a need. But definitely security before launch
Share
Bogomil Shopov - Bogo
Products. Security. Privacy. Ethics.
@jonathanm well said. Thanks for answering my question. What do you think a maker should do if they need to plug-in security they need when they "come back to it"?
Jonathan Massabni
Product Enthusiast. Travel & Fintech
@bogomep I’m no security expert unfortunately so I understand other makers that don’t have the resources at the beginning. If starting from zero : with my knowledge level I would start with something fun like cleaning up the data structure (remove needless information, hash appropriate values, create solid relationships, etc.) Then, doing simple things that will help new development like using parameters to fetch secrets, creating layers to handle sensitive data and upgrading libraries. If starting from a more advanced level : probably prioritize using tools out there like Kenna Security that gives a score to vulnerabilities. But curious to know the real answer from experts as well!
Share
Ng Fang Kiang
Digital Nomad & Remote Work @ jorcus.com
Yes, this is important to me as an internet security enthusiast. I do a lot of testing for XSS, CSRF, SQL injection, etc. security before publishing new features. I wouldn't focus too much on the design, as long as it's simple, fast, and useful. Design, UI/UX are just "Good To Have" for me. However, safety is always a must for me.
Share
Bogomil Shopov - Bogo
Products. Security. Privacy. Ethics.
@jorcus do you use any tools for that or you build your own process?
Lisa Dziuba
Maker & PMM. Built & Sold my startup πŸ¦„
@jorcus > I do a lot of testing for XSS, CSRF, SQL injection, etc. security before publishing new features. I have even no idea what that means πŸ™ˆ
Nik Shevchenko
Help makers build products with no code
@jorcus @bogomep Also, most startups don't have "security process", maybe some bullet points like using 1Password.
Share
Lisa Dziuba
Maker & PMM. Built & Sold my startup πŸ¦„
When you are an early-stage startup, security might be forgotten. The main goal is to launch sometime fast and get the first users. Unfortunately, security is not on the checklist.
Nik Shevchenko
Help makers build products with no code
For every founder who faced some security problems in the past, this becomes important. Otherwise, most founders & markets would not focus on it.
Share
Nik Shevchenko
Help makers build products with no code
Unless, you are making fintech startup :)
MARINA S
Work-Life balance is The New Normal
Interesting discussion. Bookmarked.
Share
Kalo Yankulov
Founder of Encharge.io
Not as much as we should. Definitely not a part of the process like UX, UI, etc. Where should we start from?
Share
Dawood Ikhlaq
Cyber Security Researcher
while we are making our product we didn't have a lot of resources i.e, money. Further we have used a lot open source software to speed up the development and reduce the cost, so we made a road plan about securing our website, it's really simple and as follows: 1: we scan our app everyday using some good scanner like zap 2: we keep track all of our open source for future vulnerabilities with https://vulert.com, in this way we don't have to worry about those software. I think this was most cheapest way for us to project security within our application. Best
Share
Bogomil Shopov - Bogo
Products. Security. Privacy. Ethics.
@daudmalik06 that is indeed a good start!
Alex
Learning ways to help secure startups
I'm not a founder/maker myself (hope to be one day), but work for a very young startup. We've tried to build in good security practices from the beginning. Code reviews, open source code scanning, public vuln scanners, regular patching, scrutinising dependencies, group discussions about new high risk features, bug bashes, a security email alias for notifications, free secure code training, data minimisation. We're lucky that two of the co-founders are experienced engineers who are both very security aware. Application security is both hard and fun in my experience, especially with the fast pace of changes demanded of startups trying to gain new customers. I think it's about building layers of protection consistently over time. Just "thinking" about security is great because then you start to ask yourself questions and learn those answers. "Why do I keep seeing the acronym XSS on these free reports?", "There's a news article about a company I know being hacked because of something called a third party dependency". That knowledge builds up and hopefully sticks every time you make something new. Do you have a go to list of checks when building new things?