How to protect a new application from bugs, vulnerabilities and security issues?
Sergei Petrov
10 replies
Hey, product hunters! 👋
The idea is validated, the beta is ready, the first sales are starting, but ..
It is not news that one of the main values for business is safety. How can a newly launched product properly monitor data security on a limited budget? And, not least, how to convince business customers that their data is safe?
Replies
Mark Prutskiy@mark_prutskiy
Bumpy
You should close the main security gaps but you have to understand that you can't close all gaps even with a budget.
Share
@mark_prutskiy
Thanks, that's a really good point!
Of course, we care about the safety of our product and monitor the quality as best we can. Perhaps there are some automated solutions or checklists, after passing which we could get some kind of certificate? This is important in order to gain the trust of the enterprise companies - our potential customers.
In most cases bugs are introduced into projects through vulnerable dependencies. This is called as supply-chain vulnerabilities. You can prevent them by using my product https://safe.privjs.com
Alternatively, you can also explore more enterprise-grade options such as Snyk or Github Advisories.
I'll tackle vulns and security first.
You want to be aware of the OWASP Top 10: https://owasp.org/www-project-to...
This is a list of the most critical security vectors for websites/applications. OWASP also provide a testing framework which is incredibly in-depth. I consider this guide the defacto answer for your question. Know it inside and out.
https://github.com/OWASP/wstg/tr...
If your wish is to improve customer confidence, I'd also look at GDPR recommendations.
For bugs, the absolutely best way to mitigate them is by increasing your test coverage and improving the quality of it. This can be things such as unit tests and integration tests, but I would also consider cross browser testing (such as using LambdaTest) and potentially even going so far as using tools such as Screenshotbot.
Another thing you may wish to increase is your programs observability. This can be as simple as a Grafana dashboard.
@smcn
Hey Stefan.
Many thanks for the detailed and extensive answer. We will definitely use your advice in the near future.
We are developing a plugin for Jira and one of the requirements for getting a security badge is participation in the bugbountyhunter program with a minimum contribution of $5000 for bounties. Maybe you have come across something similar. How reasonable is this for a new startup?
@sergeipetrov you're most welcome
I can't say that I've come across a company like that, though that may be because I'm not really big on Jira for personal reasons. I think that it sounds like a good and viable idea though!
Wish you all the best!
I believe that a company should run a number of bug bounty programs (well-paid of course) to make sure that there are no or close to zero bugs, my opinion. As a rule on that purpose companies use platforms like Standoff 365. Here are some more details https://standoff365.com/en-US
This will sound a bit strange and far fetched because it's coming from the compliance side of my brain. Have you heard of the Cloud Security Alliance's CAIQ-Lite? It's a heavily trimmed down (78 questions is about as short as these things come) list of security based questions designed for companies to vet new vendors. It's also free to download and use as needed.
https://cloudsecurityalliance.or...
Now this won't shore up your application or data security. It's broader than that.
Think from a customer perspective. They're also interested in if you can maintain availability during a disaster. Do you have backups if data is lost. Do you patch your infrastructure when there's a new vulnerability. Do you encrypt your database? Are your publicly facing services scanned? A lot of those questions can be answered and solved with a free tool or a process change. The checklist may inspire you with a few more things to add to your product and promote to customers.
I'm guessing your product will need read/write access to lots of sensitive places, which means data security would be a very important risk to address. But in saying that, there's also other security things that you can do to help assure customers that you have their safety in mind.
This is pretty interesting question I would like to share some information about the best nespresso machine here on this page.