Security is a beast and an expensive one to tackle. Keeping your systems secure costs more development time, more money, requires extra services, monitoring, and observability. All of it costs more in terms of time and money.
There are multiple levels of security. At each point in your organization’s security risk tolerance you need to keep revisiting security. At the very start of a startup, you might get away with minimal security. At the other end of the spectrum you might go for certifications like ISO 27001, SOC 2 types, PCI, GDPR, and HIPAA. Getting these and some other similar certifications sometimes need rewiring of your entire architecture and refactoring a good deal of code. You might need to drop some of the features from your application or completely rethink them.
Deciding when to do what to achieve a desired level of security is extremely important. No matter how counterintuitive it sounds, do not go for the best level of security from the get-go or you will shoot your small startup in the foot unless it’s something like a security, medical, or financial services startup.
Whoever can afford the luxury of having a highly secure application should do it. It will land your startup better and high-ticket clients and usually, high level of security is mandatory to get high-ticket clients. Analyze the game you are playing. As an engineer, keep your stakeholders updated about what it takes to be secure. If you are not a senior engineer or someone who has not done security under the leadership of a security professional, it’s very much possible to get it wrong and not understand what needs to be done.
I wish we had inherently secure programming languages, frameworks, and cloud systems but that is not possible because of how the internet works.
I remember being in a small profitable organization that couldn’t close a few sales because they did not have certain security compliances. The ticket sizes made them all drool over the missed opportunities. They went all in about security and a good deal of time and money was spent to get 2 security certifications that would position them better.
A slight downturn of events happened, some churn and it became unbearable for that company to bear the extra costs that come with having a secure cloud system. Cloud is costly. Doing security on top of cloud and at scale you will feel like being extorted. For example, one endpoint to track and report external attacks on one of your servers will cost you 1 grand in GCP. If you have two endpoints you pay $2000. If you are a small startup, such costs can put a dent in your profitability. If you are VC funded, you might not care that much until you run out of cash. For big companies and corporates, this is essential.
Identify who you are. At what stage are you? How much security can you afford? How much lack of security can you afford? Given your product, market, and popularity, what level of security do you need to be at? A local gym membership management system has very different security requirements than Twitter.
With all that said, this does not mean you process inputs without validation. This does not mean your app can live without SQL injection protection. This doesn’t mean basic XSS is tolerable. This doesn’t mean you can put passwords in plain text. These are essentials.
I am talking more about infra-level security, intrusion detection, and handling personally identifiable information differently than the rest of the data. That is costly and time-consuming to implement. It doesn’t make sense when you don’t even have a product market fit.
Writing good and secure code is basics. Being up to date with OWASP 10 and keeping that as a top priority is important.