
Ask HN: As a startup CTO, how do I protect my web app from security threats? - svepuri
As a first time CTO (only tech person in the team) of an early stage startup, I am trying to maximize the benefits from my time. Subsequently, I am spending little time on coding and more on quickly integrating solutions such as SendGrid, Twilio, Stripe, and AWS services into my system.<p>You would have read that recently SendGrid was hacked. Such instances make me wonder how secure my system is. Could you please offer advices on how you keep your startup web applications safe from security threats?
======
manibatra
Pretty much in the same boat as you. The one thing I am making sure is
anything that goes into the database is properly validated and sanitised as
mentioned by the other user. Keeping keys as environment variables rather than
in the files would be other. Write lots of tests if you are not already doing
so. But at the same time also keep in mind that there should be a fine balance
, in my humble opinion, in putting in time to make your system secure and
moving fast and getting the product out to market. Unless of course your
product sells security. Cover your basics and add in more protections once you
get a product market fit.

~~~
svepuri
What are the more protections you are referring to in your last sentence?

~~~
manibatra
Sorry for the late reply. As I said I am in the same boat as you so just
worried about how I could get prevent myself from being "hacked". Email
verification for user signups is something I am doing. Apart from that just
looking at every piece of code and not relying just on the client side
stuff(javascript) :)

~~~
svepuri
Check this link [http://techcrunch.com/2015/01/22/security-for-startups-
in-10...](http://techcrunch.com/2015/01/22/security-for-startups-in-10-steps/)
It may help to some extent.

~~~
manibatra
Thanks! That was good :)

------
virken2015
Hard to say too much not knowing what infrastructure its on, but would start
with the basics of good input sanitization to avoid sql injection.

~~~
svepuri
Currently my webapp is built using PHP and MySQL LAMP stack and is hosted on
AWS EC2. I have taken care to avoid SQL injections.

