Start-ups are often referred to as a phenomenon of the 21st century. Personally, I’m a big fan of them. I find the energy that creative people put into implementing sometimes very interesting ideas that allow society to innovate and move forward very fascinating. If the constellation is favorable and demand, a good idea, timing, persistence and luck come together, a fast-growing company can emerge in a market that can sometimes go from 0-100 and surpass the speed of a Porsche. As customers grow, the name recognition of the start-up in the business sphere grows, the number of employees and capital grows, and after a few years of effort and commitment, a group of 3 friends becomes a company of 50 or more people, where the founders have the entire company on their shoulders, tackling strategic decisions about direction, investment, marketing and growth into markets. Simply put, it’s a lot.
But let’s go back to the beginning. This whole carousel revolves around the idea, which in more than 90% equals to a product. A product can be for example: goods, a device, a service, or of course a program/application. Perhaps no one nowadays doubts the fact that the use of information technology makes life and work easier, faster and we can no longer imagine life without some of them. With arrival of AI, this field has taken on another dimension. We use applications in sports, in medicine, managing finances, for entertainment or in employment.
Start-ups are firing up with innovative products/apps - and they are putting their energy and desire into developing and fulfilling customers’ wishes (to get more of them, promote their name and let’s not be afraid to say it, become famous).
Ethical hackers/penetration testers are very interested in technological innovations. We enjoy examining how things work in detail, the so-called “inside”, what technologies are used, how the authors intended them to work and how they didn’t. However, in this exploration we also see an interesting trend that can be terrifying.
The trend of an already widespread well-known companies, which still have the behavior of start-ups (from which they originally emerged). I do not mean the friendly atmosphere inside the company or the lack of management structures (which often rather hurt these companies). I mean the attitude and responsibility for their product. Every app goes through “birthing pains” in the first stage of development and the goal of a start-up is to start with a few people as soon as possible to come up with a working product that can be offered, shown and tested. However, if the product-application is already far beyond “early-access” (simplified as “demo”) and is at the stage where it is production-ready, users are using it, and it contains production data, it is almost too late to think about security, CICD setup, source code review, and release controls. Already widely known companies should have this covered a long time ago.
Unfortunately, they haven’t.
After all, the reality is that new customers want new functionality, marketers want to dominate new markets, marketing wants new videos. And 3 fellow founders, who are now addressing more strategic requirements, forgot to set the rule-conceptual steps in time.
Imagine a situation If, for example, a well-known bank started earlier as a start-up and after a few years still any of its developers (even junior ones) had access and directly intervened in the publishing and editing of production releases of the app. In the beginning, with 3 experienced developers, this was possible because in a small number there is an agreed procedure, seniority, some personal responsibility and mutual control. But in a larger team, consisting of differently experienced developers, there is a risk of e.g. publishing a release with development/debug settings where authentication would be disabled.
Furthermore, we can talk about the source code of new functionalities/features embedded in an internet banking application, and these are released without any security checks and penetration tests that would reveal bugs and vulnerabilities easily detectable and exploitable by black-hat hackers.
Sounds scary, yes. But those who could suffer the most are the clients in the first place. They put their trust, personal data and finances in the hands of the companies whose product they use. They trust that they won’t lose it. So, by definition, companies should be responsible for making sure that this does not happen.
However, the negative trend mentioned above shows that this is happening. Mostly not in the case of banks, but in the case of extended companies that still have start-up behavior.
If the answer is no (so you haven’t taken enough steps) or you’re not sure, don’t worry, it can still be fixed.
So dear start-ups, if you want to be successful and wish to have a positive context for your name in the future, try to be aware of your product’s public use early on. With that comes responsibility.
Don’t become another bad example and strengthen the cybersecurity of your start-up now. More information can be found here.
