Poll: Does your startup try to write secure software?

[Haskell]

I would like to capture the general perception about secure development in startups.

Please, also keep in mind that even if your startup doesn't process users' private information (such as financial data or email), your website/application could still be hacked to distribute malware, either exploiting users' browsers or inserting trojans to be downloaded.

For instance, I browse sites I trust with javascript and flash enabled in Noscript, increasing the surface attack.

Also, users are taught to avoid only untrusted websites/applications - and they could blindly trust your startup downloading trojans.

[lincolnq]

Security is a high priority for us (2 people). We are careful to write secure code, and we discuss security specifically and do code reviews for any risky parts. This process isn't formalized, but we don't just trust ourselves -- we also expect each other to find any problems we've missed. This doesn't seem to fit into any of your responses.

(If you're going to make a poll, I would recommend choosing answers which don't presuppose so much)

[Haskell]

You can interpret formal process as systematic process.

The logic for each answer is this:

Answer 2. If you claim to care about security, you should understand the security implications of what you are doing and you are an expert. You can take care of it on your own.

A 1. If you care about security and you aren't an expert, then you don't really understand all security implications of what you are doing and should be basing your judgment on the recommendations of those that do using a systematic process created by experts. You don't need to hire a consultant to do it. You can just buy a few books or read it for free in the Internet.

A 3. If you care about secure software but aren't an expert nor use a systematic process created by experts, then you aren't checking all security implications of what you are doing, but instead checking only for a few generally know flaws.

A 4, 5, 6. You don't understand the security implications of what you are doing and refuses to take the recommendations of those that do.

[tptacek]

Why would you spend a lot of time writing secure code for a news recommendation site?

[Haskell]

That is why I have placed that introduction.

If this news recommendation site is being constantly hacked to the point in which it has more malware than a porn site, then the developer should consider making it more secure. Otherwise users would not visit it anymore, unless the owner starts to place some hot picures to serve together with the exploits.

[tptacek]

That's nice. In reality, the security quality of a typical web application is quite low, especially compared to F500 enterprise standards --- few would survive a pentest. And yet most of them are not hacked in that manner.

Indie developers need to get better at writing software that is secure by default, but they do not need the whole process-driven juggernaut that Microsoft runs internally with things like SWI.

So, I asked because it sounded strange to me that a two-person news-recommendation startup would be spending serious time on security, as opposed to figuring out ways to make money on their property.

[Haskell]

>>And yet most of them are not hacked in that manner

The guys at Wordpress and Jommla beg to disagree.

It depends on how popular it is. If the open source version of Reddit becames as popular as Wordpress, then it certainly would get hacked in that manner.

[tptacek]

Do we have to spend time pointing out the differences between WordPress and indie startups like Backtype, Songkick, and Adpinion? Microsoft spends a lot of time on security too, and I'm not saying they're dumb for doing it.

[Haskell]

You used the word indie at the first comment, but I interpreted it as startup, because this discussion is about startups.

Most startups aren't indies.

For instance, Plentyoffish.com was a ONE person startup not so long ago with revenues of 1MM and 1B pageviews. Just imagine what a news recomendation site with TWO persons would be able to do. :)

[tptacek]

I'm eager to see what people here have to say about this poll, but it's so badly constructed that I'm not hopeful about the quality of the results. I've thought about posting a similar poll, but it would be self-serving.

[Haskell]

Feel free to post your own Poll.

If you do, I can ask the moderator to delete this one.

[Haskell]

Why do you think it is badly constructed?

[tptacek]

It's too detailed and it has an agenda.

[Haskell]

That is because english is not my native language and I didn't know how to explain it better.

[tptacek]

No, it's because you provide a choice between "we have a process that includes threat modeling..." and "we have no process", thus excluding the vast middle ground of people who care about security but don't hire consultants.

[Haskell]

You don't need to hire consultants to have a process. You just need to buy a book or read it for free in the internet.

You just need to think about the security implications of what you are going to to, do it keeping in mind all that could go wrong, check again what you have done, and keep a spreadsheet registering how well you are doing. And do it systematically.

[tptacek]

I'm not saying process is bad, I'm saying you've equated process with a bunch of consulting buzzwords. You've asked leading questions. I'm just answering your question, about why I think the poll is poorly constructed.