Web applications are critical for all organizations, especially for startups, when it involves building customer trust, in a very short time. An application for a startup is the first place where your potential customers get information about you. It is also the primary way they interact with you.
At Security for Everyone, we believe that no matter it’s a mobile or a web application, security is vital. Nevertheless, it’s sometimes difficult to urge developer’s attention to possible vulnerabilities. The time after an attack is just too late to think about security, and it costs you a lot.
Finding money, neglecting marketing and sales, and releasing features fast are the reasons you might have put keep your application security tasks at the backlog, for so long time. Especially fast-growing startups spend most of their energy to developing new features to quickly fulfill their customers' needs and keep them happy.
CTO’s and co-founders of fast-growing startups will understand, if they think about their task prioritization in daily operations. In some cases, the team don’t have the resources for an experienced and dedicated security staff. It is another major reason why we keep our eyes close to most obvious security vulnerabilities.
Considering that you have limited resources of security staff, and very limited knowledge, where do you start?
There are several resources on the internet (mostly free) waiting for you to help you learn application security:
If you don’t have time to do research, there also many tools (mostly free) available for you to leverage your security knowledge:
Not surprisingly, there is always a potential of defensiveness when it comes to developers receiving feedback from security tests. It is understandable when we consider the time and effort they put into the code they’ve built.
You need to first educate the team in terms of application security. Then, there must be a motivation to keep the team’s attention to security. Finally, the mechanism will be complete when you find out the value of creating a secure code.
There will be a lot of security issues flagged during the penetration testing, and it would be frightening at the beginning. Triaging these issues will be the key point, when you don’t know where to begin.
One common tactic is to starting with the high-risk, and low-cost security issues. It will boost your value-based mechanism and your team will get even more motivation when seeing the results.
The first thing a customer will look for is a reassurance that your organization is taking a responsible approach to security. A customer can immediately forget your product, if they experience a situation that might let them think that your application has a security risk. It is really hard to regain these customers.