Startup security

Question

I'm running a lean start-up, and I can't afford to pay a dedicated security expert, what types of precautions can I take? These would need to be cheap, simple to implement, and require minimal time investment.

To clarify, as this is a start-up we mostly do development work, so I'm looking for things to make my application more secure. Technologically agnostic, of course.

From the original Area51 proposal

What is your startup doing? Do you want information on security for client work, your own servers, or what? This is a massive question. — Toby, Nov 12 '10 at 13:21
@Toby, I agree - I just copied it verbatim from the original proposal, however I do think it's a good question. It was clear to me he was asking about security on his own development - either product, site, or client work. — AviD, Nov 13 '10 at 16:15
@Olivier, yours was a great answer, but I felt I had to accept @Paul answer. The emphasis on "lean" requires very lightweight activities, and "training" as a single activity will make everything else easier (i.e. a security-minded programmer will know to prevent SQLi without much extra work, but a non-security programmer that has to add protection will take MUCH MUCH longer). — AviD, Nov 16 '10 at 06:14

score 13 · Answer 1 · edited Apr 13 '17 at 12:13

13

Securing your code:

Prevent SQL injection: use an ORM and parameterized queries
Prevent potential hackers / employees from seeing passwords: Store password hash + salt instead of clear passwords.
Prevent introducing security flaws: Don't reinvent the wheel. Use libraries and framework whenever you can.
Assess your application with a vulnerability scanner.

Securing your server:

Keep your system updated
Monitor your server
Use password-less logins with SSH
Implement a backup strategy
Implement site-wide SSL. If it's not an option implement it for login pages to prevent passwords from being intercepted (won't protect against cookie sniffing, but at least passwords will be safe).
Monitor logs / use an IDS.

edited Apr 13 '17 at 12:13

Community

1

answered Nov 15 '10 at 02:39

Olivier Lalonde

5,039
8
31
35

2

+1, because this good stuff - but I would expect more of a coding-focused answer. Clarified question. – AviD Nov 15 '10 at 05:46
I've appended my answer to include some code related tips ;) – Olivier Lalonde Nov 15 '10 at 06:22

score 8 · Accepted Answer · answered Nov 13 '10 at 07:46

8

Invest in secure development trainings because that would be targeting the root cause of any problem. I don't believe, given this high level of information about your startup, that you would get valuable help that you were not aware of before.

answered Nov 13 '10 at 07:46

Phoenician-Eagle

2,167
16
21

1

+1 for training, but I think we can definitely provide some baseline recomendations and guidelines... – AviD Nov 13 '10 at 16:20

Mohamed · Answer 3 · 2010-11-13T00:05:05.850

4

This depends on what kind of hosting service you have.

Dedicated Server or virtual hosting
- keep your system up to date.
- use Secure protocols.
- implement network defense. firewalls/IDS.
- Enforce Strong password.
- Encrypt Cookies
- Auditing Logs
- use threat models to prevent attacks.
- Save Session ids in the database
- Employing site development best-practices
Shared Hosting
- Enforce Strong Password
- Encrypt cookie data.
- Save Session ids in the database
- Employing site development best-practices
- and Pray.

edited Nov 13 '10 at 00:05

answered Nov 12 '10 at 15:29

Mohamed

1,404
1
11
14

Encrypt Cookies: never seen any website do this, what is it supposed to help with? Save Session ids in the database: how does it help in regards to security? – Olivier Lalonde Nov 12 '10 at 22:19
Also I doubt that this startup can afford threat modeling. – Olivier Lalonde Nov 12 '10 at 22:26
@oliver what I mean is encyrpt cookie data. chec this http://stackoverflow.com/questions/606179/what-encryption-algorithm-is-best-for-encrypting-cookies and this http://www.codeproject.com/KB/web-security/HttpCookieEncryption.aspx. – Mohamed Nov 13 '10 at 00:04
@oliver note if you never heard does not mean it does not exist. – Mohamed Nov 13 '10 at 00:04
@oliver it helps with tempering data. – Mohamed Nov 13 '10 at 00:07
1

@Olivier, I'm sure @Mohamed meant "it helps *prevent* tampering data" :) – AviD Nov 13 '10 at 16:17
Hey, @Mohamed, "and Pray" was mine! http://security.stackexchange.com/questions/57/how-to-keep-a-shared-web-hosting-server-secure ;) – AviD Nov 13 '10 at 16:18
Still bad general advice because you shouldn't store confidential data in a cookie in the first place which is exactly what the folks at SO explained. – Olivier Lalonde Nov 13 '10 at 18:35
So @Olivier, do you have a better answer? :) – AviD Nov 14 '10 at 23:26
1

@AviD done! feel free to up vote :D – Olivier Lalonde Nov 15 '10 at 02:40

Startup security

3 Answers3

Linked