The battle between Sony and what the FBI believes are North Korean hackers may be at its end, but the war for the security of the enterprise is just getting started.
Companies have been rapidly transitioning their legacy systems to modern IT technology like cloud services, hoping to save money and improve performance in an increasingly competitive world. And while security has always been one of the key demands of CIOs in making new purchases, security itself almost never sells products – features do. That’s why startups focus so much of their attention on getting their products right, and often tack on security engineers later in the development process.
If it is not already clear from the events surrounding Sony the last few weeks, technology startups are increasingly the battlegrounds between all sorts of forces, from hacker gangs to pariah states. Companies rely on their information technology for their most important trade secrets. Any legitimate threat to those systems could alter the trust executives have with their IT departments, and that has serious repercussions for all of us involved with startups.
As I bluntly wrote in June, it’s the security, stupid.
It’s not like we haven’t been here before. IT departments are going through a technology revolution right now with cloud services not unlike the revolution almost two decades ago from paperwork to data centers. Back then, the biggest security challenges were viruses and worms – think ILOVEYOU, Code Red, and SQL Slammer. Network infections like these regularly made the front page of newspapers and top news on cable networks, and they each caused billions of dollars worth of damage by some estimates.
But we don’t hear much about viruses these days. Increased operating system security, particularly on Microsoft Windows, closed many of the gaping holes that were available for exploitation. More sophisticated antivirus software also blocked many of these viruses from spreading through email by stopping them at the mail server. As the vectors for attacks decreased in number, the ability of hackers to write self-propagating code on the internet has simply become more challenging.
We need to start a similar defense revolution when it comes to our cloud services. We need to strengthen our fundamental infrastructure while developing better tools to identify attacks and stop them in their tracks. Unfortunately, the solutions are going to be far harder to implement.
The first challenge is that many of these cloud services interact with each other, which greatly adds to the challenge of determining the vulnerabilities present in the system. This dense interconnection also extends to the libraries that these services are built upon – just think of the Heartbleed bug in the OpenSSL libraries or Shellshock bug in the Bash shell. A vulnerability in one system is likely to compromise more than just itself in an attack.
Second, insiders are increasingly a threat, not only because the number of IT services has expanded, but because security concerns of IT departments directly compete with the efficiency concerns of management. There remains rampant speculation that the attack on Sony was assisted by someone on the inside of the organization. Regardless, stopping insiders like this is tough, because businesses face strong competition and need the openness of existing systems to be effective. Startups need to provide security within the demands of speed and openness, and that is no simple juggling act.
Finally, and perhaps most importantly, startups are moving increasingly quickly to provide the features their customers are demanding, making it difficult if not impossible to ensure that shipped code is hardened and secure. In a world of ship fast and break things, the breaks are starting to get worse – and more expensive.
Security may be a tough problem, but it is the supreme responsibility of every software developer and every startup executive. We all collectively lose if CIOs lose trust with IT departments. We don’t want to move back to a world of paperwork just because we can’t secure our data in the cloud.
Therefore, we need to return to basics. First, every developer should have training in security. Security is not typically required in computer science curriculums, often offered as an elective to students looking to specialize in the field. That needs to change posthaste. Security habits are formed early, and developers shouldn’t be able to walk along at a college commencement still allowing SQL injections in their code.
For developers in the workforce, take time to understand the OWASP Top 10 vulnerabilities, and read up on the latest approaches to securing systems. Ensure that every product design session has at least a few minutes devoted to discussing security issues and possible vulnerabilities. In addition, think through how to offer highly granular access controls for data, even potentially before your customers ask for it.
Finally, for startup executives, constantly seek out security vulnerabilities in your software and services. Offer bounties for the discovery of new holes, offer indemnification for white hat hackers investigating your software, and perhaps consider bug discovery services like Bugcrowd, which can crowdsource much of this for you. Vulnerabilities are a commonplace in all software, and you shouldn’t run with fear from these issues, but rather embrace them as challenges to be solved like any other customer request.
Startups may once have been immune to the kind of large attacks that plagued Microsoft Windows back in the day, but that world is long since gone. Given the tight coupling of software systems, a startup’s service may be just the vector a hacker is looking for to break into a corporation’s systems. Don’t wait for a magical security service to solve your customer’s problems for you. Every startup has already been drafted, and now is the time to fight.