Startups don't care about security.
We hear this a lot. It may be a descendant of "developers don't care about security… that's InfoSec's concern," a situation where at least someone in the organization was paying attention to security. In the developer-dominated world of tech startups, such a statement would be nonsensical. If a startup has dedicated InfoSec staff, they're probably not a startup anymore.
To be fair, early-stage startups have a lot on their plate: fundraising, product development, acquiring customers. Speed is of the essence for startups and they need to avoid distractions that can slow them down. Worrying about security too early can feel a lot like building at scale when you only have five customers. In most cases, a focus on security doesn't contribute to the bottom line and can appear the opposite. It's natural to feel like "we're too small to be a target... it won't happen to us."
Take Snapchat. Sure, they're a ~$3B rocket ship, but they're still young and have been understandably focused on product and growth. But while privacy is a benefit of SnapChat's service, for months they failed to patch a vulnerability that they were repeatedly warned about - a patch that apparently required a few lines of code. Once this "theoretical" vulnerability was exploited in real life and user data was exposed, Snapchat's response was slow and ham-handed, only adding to their woes.
If Snapchat were an enterprise messaging startup, it would be almost certainly be dead as a doornail. As a consumer-facing startup, they're still not entirely out of the woods and it's too early to assess the full scope of damage to their reputation, trust and growth. In the post-Snowden world, and one where consumers are directly affected by breaches such as the recent Target hack, individuals are increasingly placing a premium on security and privacy.
So, what do we mean when we say "every startup is now a security startup"? If you store customer information in any way - be it enterprise customer data or the emails and passwords of your registered users - you're responsible for safeguarding that information.
Your startup is a security startup.
Does this mean every startup needs to purchase "military-grade security" solutions? No. It means you need to pay attention to the code you're putting into the wild to check for common vulnerabilities such as SQL injection or Cross Site Scripting (XSS) attacks. It means salt and hash passwords, encrypt data and store nothing in plain text. If you're using AWS, take the time to configure your security groups properly.
If you achieve product-market fit and start to scale, strongly consider pen-testing your application to identify vulnerabilities - and close them. If others pen-test your application independently, listen and respond. Have a crisis plan in place to address exploits and communicate proactively with your customers.
There's no security solution available today that can stop the most advanced persistent threats 100% of the time. Defense always trails offense. But not every threat is as advanced as Stuxnet. Taking some basic steps to secure your applications, your infrastructure, and your customer's information can help avoid many common exploits. You have no expectation of your customers or users to be forgiving if your failure was one of disregard.
Things changed dramatically in 2013 and concerns over security and privacy in are forever heightened. Your customers, be they consumers or businesses, are paying a lot more attention to the security of their information. They're asking questions. As a security startup, you need to have answers.
We will keep updating this post to add to this list. It's certainly not comprehensive. Comment to let us know of startup breaches we should add.