I have led Black Ops teams err.. Information Security teams as a specialist with large scale Internet firms like Adobe and unicorns like Flipkart and Ola. An engineer by heart with out of the box thinking. Currently, I head all things security @Ola.
In this article, I will be penning my thoughts on perceptions and misconceptions about information security and why it has not been given its due importance in Indian startup ecosystem.
In last few months, I met few founders from the startup ecosystem and here are some snippets of my conversations. The point was to understand, is information security getting its due importance?
Before starting, let me walk you through some statistics:
In 2015 alone, on an average 22 records were stolen per second.
Founder: Why do we need information security team? How can a security engineer possibly add value to my startup? Can they help to drive Biz growth, can they help to acquire more customers, or can they build product features to achieve business deliverables.
Me: For sure security engineers can add value to your startup. Let’s take a step back and look at the big picture.
Breaches happen across all sector of our society, not just ecommerce or retail.
And then we have malware getting intelligent, Malware Timeline.
Common strands across successful online startups irrespective of domains are:
- They have millions of customers who trust them and use it on a daily or weekly basis
- Customer’s transacted real money
- They store personal data of customers including passwords…
- It has customer’s addresses (and their gf’s/bf’s also : P )
- It has customer’s travelling history
- It has customer’s data of buying needs
- It has customer’s data of food preference
- It has customer’s saved credit card (not directly though)
- Apart from customers you also have a lot of employee’s/delivery personnel data , their registration number , their vehicle no , their payment info , their location and a ton of other things.
Most importantly, it has an app, which runs on the customer’s mobile device, which is their (virtual) life, and if a smart loony outsider manages to get access to those devices, its data via their app(exploiting some bug) then customers online identity is at risk. Sounds scary?
Wait till you check the links Latest malware no. of playstore and app store|Sophos Report
Hope that gives you a glimpse of why your startup, no matter what it does, definitely needs security engineering. One thing which I didn’t mention is supporting the legacy system that is definitely vulnerable and you need to protect it till there is a new secure system in its place (which means there will be things falling through cracks, tricky thing to handle).
Founder : Can we do without Information Security? We can think of it when we grow big.
ME: Yes, you can start without Information security until you go un-noticed and do not get traction from security cults who are watching out for things to break. This is the thing that gives them an adrenaline rush. In a layman language: Until you get hacked/ someone write a blog about you publically shaming you. Never assume that you won’t be the target of an attack.
Few things we need to understand, a breach can happen to any company (Facebook / Google / Microsoft / Yahoo / RSA / Twitter /Citibank / Uber etc.) and all have suffered a breach at some point in time or the other.
The things we need to be careful are about after having so many instances to learn from why do we still choose to neglect it .
Most notable thing is that the later you think about implementing Information security thing, the harder it is to properly implement. So, the early you understand the need for information security, the better you can go ahead.
The image does give an answer to the question: NO
My dev/tech team has taken care of basic security using resources available online, I guess that should do?
Me: Well one good thing that at least you cared about the security of your product. Unfortunately, what you did is a good start but not the right one because just like a good graphic designer can architect your application just by surfing for articles on how to do it but that does not mean he can do it the right way. You can not rely on that design when you scale? Would you be sure that there wouldn’t be too many cracks through which things can fall off?
Obviously NO, so similarly it is ok that everyone should have an understanding of security but do not have an overlapping role. You cannot break code with the mindset you created it , you need people to think out of the box.
Founder : Is Application Security worth investing into ? Can I somehow outsource it?
Me: If you don’t then the day you will become a multi-million/billion dollar startup and have a good number of customers and getting applauses from all around the world for the problem you solved. Then there would be few security folks trying to steal the limelight /few other who are security enthusiast and because they use your service would find a vulnerability in your service which has gone to millions of users and can be exploited. This is compromising just not your name, fame ,customers but also would stand a hurdle as a part of next round of funding (though it depends on the bug that was left).
Then you have to build a security team and get all your products secured , pen testing was done, secure code review was done, application architecture review is done, cloud architecture review done and phew… the list never ends . But the worst part would be you have to push users to updates their app- this would have given you chills. Yes, there would be customers’ loss, business loss, hundreds of endpoints changes and what not.
You need to invest in Application Security, sooner the better. Later it comes with an additional cost of reputation, customers, shaming and money.
Images on your left display some numbers from surveys done by IBM and few other companies.
Application Security @Mobile Ecosystem? [Good/Bad/Evil]
Founder: But a bug on a mobile app can lead to an exploit of one user’s, right?
Me: The mobile ecosystem is a double edged sword?—?One of which is if we push a bug intentionally/unintentionally then it lives forever.
How? You don’t agree? Patience…. I am here to unfold the mysteries
No matter how long it has been, there would be some percentage of users using those vulnerable apps. You think a force update is an option? If you are a founder, Product manager you know unless it’s an app that people NEED (like a bank, social media app which they can’t live without),they always have alternatives and no company would force that unless it’s really needed (It is sort of ruthless/disastrous for them). Hence, you lose customer, and that’s way too high a price to pay because the number they need to show in the next investor meeting can be a problem
Founder: What are the take away of your security journey so far:
Me: I have worked with few pretty unicorn startups of India and I have friends in other startups, which are marching towards (multi) billion-dollar mark, in addition to that, I also know about a couple of Fortune 500 company’s vision in terms of application security.
None of them have any alerting and monitoring system in terms of application security, real time is too much wishful thinking. They do not have anything to keep a track of things that would be handy if a breach happens or pre-empting one. Don’t take me wrong for companies like Google, FB, ETSY and others. They are the bar raisers in what can be done, for a very same reason that made them grow big and that is being open to new ideas and willing to try and fail
a)Take control of your things
b) Protect your company and customer , set up a security team NOW.
c)Reactive by design, move to proactive approach
d)Do not rely on only (internal/external) pen-test reports from vendors.
Founder: How to evangelize Information Security @Startups?
Me: I would like to share my mantra on how I did things, at one of my recent employer that should explain it all:
-There was a meeting going on, and as I passed by, what I heard, made me smile. The Product manager was opposing a design mentioning that there would be a security vulnerability IDOR.
Though they did not even understand the abbreviation, they happened to know the issue so well, as it was flagged multiple times.
Isn’t that awesome? 😉
That tells me that my efforts at evangelization, was not just limited to Devs and QAs but PMs also understood application security.
The reason I am boasting about this is because application security has always been a fight with user experience (security guy vs. Product guy). The trend being, if you have a decently secure application, it would certainly have a real bad user experience; PMs are there to get better user experience and coming to a common ground is what matters(mix of good user experience with a decent security feature in place).
Things I do on regular basis:
- a) Talk about critical issues you found in application witheveryonewith what impact it could have
- b) Do as many sessions as possible for all teams
- c) Talk about any recent hacks happened and how we should have handled if it was us
- d) Think as if you are already breached and what can you do now to identify what has gone wrong with the network -> infra -> malware ->APTs -> insider threat -> application bug -> any of those 150+ things possible.
- e) Introduce all employees to fun security games , this does help a lot.
- f) Have mandatory session as a part of induction of in first few days where they get a walkthrough of all what bugs are found in the organization in general
This is a never ending list but this much is good to begin with.
To everyone reading this you must be wondering why am I writing this?
The goal here is to make startups and developers realize that taking care of application security does not add an additional overhead. On the contrary, it gives a lot of ROI (I bet you can’t even calculate) .It’s just that other metrics overshadows security metrics.
There have been many cases of start-ups, all of the globe falling/having rainy day just because of lack of vision for Application Security. Hopefully ,this post will help you avoid that familiar bumpy road (Prevention is better than cure! Always. No Exception. In application security terms, it helps you from public shaming. Now, you do not need to get hacked, to understand the importance of application security).
Hope this gif would explain you on how security could look like. At first, it will feel like things will get worse in terms of efficiency but actually, it will help to add to your business metrics and will make sure you just don’t go fast but a long way too.
Founder: What should startups do? [Any Secret Sauce]
Any checklist we can have ?
Security is a process , not a destination.
Information security is never a matter of going through the checklist but thinking out of the box. But surely I have few pointers to share.
I would be writing a follow-up article in which I would walk all of you through
a)setting up Information Security @ your company from scratch with minimal resource and investment
b)what things should be taken care in what order.
And in case you are one of those founders to whom information security only means protection against DDOS then please have a look at this mind map , and evaluate what all are you missing.
Till then Happy Hacking and keep secure.
[About The Author: Shadab Siddiqui has led Information Security teams as a specialist with large scale Internet firms like Adobe and unicorns like Flipkart and Ola. An engineer by heart with out of the box thinking. Currently, I head all things security @Ola.]