Start-up Phenomenon

Start-up Phenomenon

Start-ups are often referred to as a phenomenon of the 21st century. Personally, I’m a big fan of them. I find the energy that creative people put into implementing sometimes very interesting ideas that allow society to innovate and move forward very fascinating. If the constellation is favorable and demand, a good idea, timing, persistence and luck come together, a fast-growing company can emerge in a market that can sometimes go from 0-100 and surpass the speed of a Porsche. As customers grow, the name recognition of the start-up in the business sphere grows, the number of employees and capital grows, and after a few years of effort and commitment, a group of 3 friends becomes a company of 50 or more people, where the founders have the entire company on their shoulders, tackling strategic decisions about direction, investment, marketing and growth into markets. Simply put, it’s a lot.

But let’s go back to the beginning. This whole carousel revolves around the idea, which in more than 90% equals to a product. A product can be for example: goods, a device, a service, or of course a program/application. Perhaps no one nowadays doubts the fact that the use of information technology makes life and work easier, faster and we can no longer imagine life without some of them. With arrival of AI, this field has taken on another dimension. We use applications in sports, in medicine, managing finances, for entertainment or in employment.

Start-ups are firing up with innovative products/apps - and they are putting their energy and desire into developing and fulfilling customers’ wishes (to get more of them, promote their name and let’s not be afraid to say it, become famous).

Ethical hackers/penetration testers are very interested in technological innovations. We enjoy examining how things work in detail, the so-called “inside”, what technologies are used, how the authors intended them to work and how they didn’t. However, in this exploration we also see an interesting trend that can be terrifying.

The trend of an already widespread well-known companies, which still have the behavior of start-ups (from which they originally emerged). I do not mean the friendly atmosphere inside the company or the lack of management structures (which often rather hurt these companies). I mean the attitude and responsibility for their product. Every app goes through “birthing pains” in the first stage of development and the goal of a start-up is to start with a few people as soon as possible to come up with a working product that can be offered, shown and tested. However, if the product-application is already far beyond “early-access” (simplified as “demo”) and is at the stage where it is production-ready, users are using it, and it contains production data, it is almost too late to think about security, CICD setup, source code review, and release controls. Already widely known companies should have this covered a long time ago.

Unfortunately, they haven’t.

After all, the reality is that new customers want new functionality, marketers want to dominate new markets, marketing wants new videos. And 3 fellow founders, who are now addressing more strategic requirements, forgot to set the rule-conceptual steps in time.

Imagine a situation If, for example, a well-known bank started earlier as a start-up and after a few years still any of its developers (even junior ones) had access and directly intervened in the publishing and editing of production releases of the app. In the beginning, with 3 experienced developers, this was possible because in a small number there is an agreed procedure, seniority, some personal responsibility and mutual control. But in a larger team, consisting of differently experienced developers, there is a risk of e.g. publishing a release with development/debug settings where authentication would be disabled.

Furthermore, we can talk about the source code of new functionalities/features embedded in an internet banking application, and these are released without any security checks and penetration tests that would reveal bugs and vulnerabilities easily detectable and exploitable by black-hat hackers.

Sounds scary, yes. But those who could suffer the most are the clients in the first place. They put their trust, personal data and finances in the hands of the companies whose product they use. They trust that they won’t lose it. So, by definition, companies should be responsible for making sure that this does not happen.

However, the negative trend mentioned above shows that this is happening. Mostly not in the case of banks, but in the case of extended companies that still have start-up behavior.

If you are reading this and you are:

  • A client, always think about whether you are giving the apps/companies the data they necessarily need - ID card scan, health data,…
  • Company, ask yourself if you have taken enough conceptual steps to protect your product-application

If the answer is no (so you haven’t taken enough steps) or you’re not sure, don’t worry, it can still be fixed.

Here is how:

  • Design a safe development strategy, with the help of a well set up CICD and release management
  • Assign responsible, experienced people to validate and review new source code from different developers (code review)
  • Establish and maintain “minimum necessary” access management (i.e. allow access - to the repository/application server/database… only to those who really need it, not to everyone
  • Scan your repositories for sensitive data (passwords, keys, …)
  • Have multiple development environments that are isolated from each other, and of which only the production one is publicly available
  • Use recommended frameworks and area-specific layers in development that are responsible for a given area across the entire application (single authorization layer, single layer managing inputs and outputs), and have a process for regularly updating third-party frameworks and libraries
  • Train the development team on secure development principles
  • Check that you are not exposing unnecessary services on the public backend interface, as this exposes applications to a number of security risks and threats.
  • Conduct application and infrastructure security checks with penetration testing - both special pre-release and recurring periodic

So dear start-ups, if you want to be successful and wish to have a positive context for your name in the future, try to be aware of your product’s public use early on. With that comes responsibility.

Don’t become another bad example and strengthen the cybersecurity of your start-up now. More information can be found here.

About the author

Michal Havrda
Ethical Hacker
Security consultant/Penetration tester/RedTeamer/Adviser…we could go further. But, first and foremost, Michal Havrda is an ethical hacker who for many years now, hacks whatever comes across him. Whether it is a mobile application, a server, people or a bank, he tries to find vulnerable spots and improve them through his testing. You can even find hacked ATMs or physical penetrations into companies on his record with 100% approval of the owner of course.
Show more from author

Related blogs