Do you think about security while making your products? 🔑

I picked "Maker Mindset" topic on purpose :) I carefully review most of the products that I like and comment on here for vulnerabilities or security flaws and the result is not good. Yesterday I discovered a big problem in one of the products for example allowing attackers to exploit it. (I have notified the makers of course) So my question is - as a maker - do you think about security at all when you design and implement your idea? Is this one of your checkpoint items as good UX, nice design, value, etc?

Replies

Krasimir Tsonev
I would say yes. Even tho nowadays most of the implementation efforts are shifted to third parties so we (the developers) don't do stuff on our own. We just consume APIs. Even in my personal projects I tend to protect assets and user's data.
Bogomil Shopov - Бого
@krasimirtsonev How do you make sure the APIs you use are secure?
Krasimir Tsonev
@bogomep It's a bit of "I trust them". The vendors that we pick are quite big so I expect that they did their homework. Like Google's cloud platform for example.
Krasimir Tsonev
@lisadziuba unfortunately we have to be pragmatic :) I kinda prefer to pay to the smarter guys for what they do the best and I focus on my business case features.
Lisa Dziuba
@krasimirtsonev Probably, that's top of the mind for engineers 🤔
Stefan Morris
Absolutely. Security should be top of mind for anyone creating a product. I've tried to follow best practices, however I'm no security expert so interestingly enough I have a meeting with a friend today to review the security of my product. I actually plan on getting certified for my CMS SaaS. Apart from hardening your application, I think it's also important to be sensitive to personally identifiable information - if your application does not need additional information, it's best to not capture it. From a UX perspective this also keeps your forms simpler and avoids having a bunch of "optional" fields in your application. Great topic! Now I wonder who's going to address the importance of proper documentation? 🤔
Bogomil Shopov - Бого
@stefan_morris I couldn't said it better myself :) What kind of a certifications are you looking after for your site if not a secret?
Stefan Morris
@bogomep I'm not quite sure? That's one of the talking points in today's meeting. I have ISO and SOC 2 on my list, but honestly I don't know.
Stefan Morris
@bogomep I've met with a security expert and what I think I'm going to do is develop a roadmap for my app to be secure and compliant. I don't think I'll get certified unless I need to (if a client asks for it and it's worth landing them) but I will focus on getting all the pieces in place so that I am ready when I do need to.
Bogomil Shopov - Бого
@stefan_morris both of them are really expensive and time consuming. Good luck!
Marin Petrov
Indeed I have seen many products with obvious vulnerabilities and have always asked myself the same question. I've only developed 2 products in my life and for both of them were extremely important to get the security right (which is not easy or obvious at all!) For one of them, we hired an external company to make us a security audit and fixed all the vulnerabilities that were discovered. There is simply no way to catch everything as a developer so hiring an external company to do it is probably the easiest way to deal with this.
Bogomil Shopov - Бого
@troll_lock Thanks Marin! There are tools that could help you to start - like a basic SAST or DAST scanner and a basic Threat modeling exercise, but I like that you think about that as a maker which I believe is an exception.
Jonathan Massabni
Security over design and adding functionalities anytime! If we don't handle it from the start it'll add up quickly and become to big of a task to come back to it. To a certain degree, Quality and Added Value of a product could come before because it starts with answering a need. But definitely security before launch
Bogomil Shopov - Бого
@jonathanm well said. Thanks for answering my question. What do you think a maker should do if they need to plug-in security they need when they "come back to it"?
Jonathan Massabni
@bogomep I’m no security expert unfortunately so I understand other makers that don’t have the resources at the beginning. If starting from zero : with my knowledge level I would start with something fun like cleaning up the data structure (remove needless information, hash appropriate values, create solid relationships, etc.) Then, doing simple things that will help new development like using parameters to fetch secrets, creating layers to handle sensitive data and upgrading libraries. If starting from a more advanced level : probably prioritize using tools out there like Kenna Security that gives a score to vulnerabilities. But curious to know the real answer from experts as well!
Ng Fang Kiang
Yes, this is important to me as an internet security enthusiast. I do a lot of testing for XSS, CSRF, SQL injection, etc. security before publishing new features. I wouldn't focus too much on the design, as long as it's simple, fast, and useful. Design, UI/UX are just "Good To Have" for me. However, safety is always a must for me.
Bogomil Shopov - Бого
@jorcus do you use any tools for that or you build your own process?
Lisa Dziuba
@jorcus > I do a lot of testing for XSS, CSRF, SQL injection, etc. security before publishing new features. I have even no idea what that means 🙈
Nik Shevchenko
@jorcus @bogomep Also, most startups don't have "security process", maybe some bullet points like using 1Password.
Lisa Dziuba
When you are an early-stage startup, security might be forgotten. The main goal is to launch sometime fast and get the first users. Unfortunately, security is not on the checklist.
Nik Shevchenko
For every founder who faced some security problems in the past, this becomes important. Otherwise, most founders & markets would not focus on it.
Nik Shevchenko
Unless, you are making fintech startup :)
MARINA S
Interesting discussion. Bookmarked.
Kalo Yankulov
Not as much as we should. Definitely not a part of the process like UX, UI, etc. Where should we start from?
Dawood Ikhlaq
while we are making our product we didn't have a lot of resources i.e, money. Further we have used a lot open source software to speed up the development and reduce the cost, so we made a road plan about securing our website, it's really simple and as follows: 1: we scan our app everyday using some good scanner like zap 2: we keep track all of our open source for future vulnerabilities with https://vulert.com, in this way we don't have to worry about those software. I think this was most cheapest way for us to project security within our application. Best
Alex
I'm not a founder/maker myself (hope to be one day), but work for a very young startup. We've tried to build in good security practices from the beginning. Code reviews, open source code scanning, public vuln scanners, regular patching, scrutinising dependencies, group discussions about new high risk features, bug bashes, a security email alias for notifications, free secure code training, data minimisation. We're lucky that two of the co-founders are experienced engineers who are both very security aware. Application security is both hard and fun in my experience, especially with the fast pace of changes demanded of startups trying to gain new customers. I think it's about building layers of protection consistently over time. Just "thinking" about security is great because then you start to ask yourself questions and learn those answers. "Why do I keep seeing the acronym XSS on these free reports?", "There's a news article about a company I know being hacked because of something called a third party dependency". That knowledge builds up and hopefully sticks every time you make something new. Do you have a go to list of checks when building new things?