When your startup is struggling to find its product-market fit, security is the last thing on your mind - and according to security expert Matt Spitz, that’s perfectly fine!
Matt is Vanta's Head of Engineering and he joins this week's episode of Dev Interrupted to explain everything you ever wanted to know about startups and security.
Matt debunks the real security risks we face (think S3 buckets, not nation states), how to create a company culture that embraces security and when your startup needs to start caring about all this stuff.
Episode Highlights Include:
- (2:06) Matt's career journey
- (7:00) Why startups suck at security
- (13:11) Sources of security risks (employees, vendors, S3 buckets)
- (20:54) Nation states aren't the danger
- (25:25) Creating a culture of security
- (28:41) "Blameless culture of reflection"
- (33:20) How to think about investing in security
While you’re here, check out this video from our YouTube channel, and be sure to like and subscribe when you do!
Setup /:\ gitStream on your GitHub Repo today! Learn more here
Top comments (2)
Security being the last thing on your mind is not fine, and you need to "care about this stuff" from the get-go and continuously ever after.
You wouldn't go for a walk without first putting on some pants, right? The negatives simply aren't worth being out the door that little bit quicker for.
Customer data leaks, order or process manipulation, infrastructure outages... any of this can get you into some serious legal trouble - especially so if you're found to have been negligent.
With the introduction that you make, you tell people that in their Startups they do not have to worry about security, for a Startup that has just started and that has almost (or no) clients, security should be their last concern.
That's very debatable, but I think security is necessary even for startups that are just starting out, but they don't have to worry about it as much. Do the things that everyone should do on any web server even if it's not going to be visited much, like keeping the operating system up to date, configuring firewalls, fail2ban, ModSecurity, disabling root authentication over SSH, etc, etc.
That is, things that are configured in less than 1 minute and provide that security that your Startup needs that is just starting. Since it is just starting, security should be the last thing you worry about, but not schedule it in the "not important".