from Hacker News

Ask HN: Is it the norm for companies/startups to not give a damn about security?

by nonasktell on 8/25/22, 1:52 AM with 35 comments

Hi, I've joined a startup a few months ago(with a few dozens employees). A B2B startup which have some very huge clients which you all heard of, multinationals, some parts of governments.

It's not critical infrastructure or anything close to that, but we deal with the personal data of pretty important employees of those companies, and have an app installed on their phones.

And the "security" culture, seems like the worst you could imagine, I wonder if it's (almost) the norm in the industry or just some bad luck, would love to have your opinions and stories about this topic

A few months ago, I found a vulnerability allowing any user(and I do mean ANY user), to login as an admin on our homemade administration space with a simple trick, which would allow them to change almost any "trusted" content that users can see on our app, text, images, videos, links or files that they'll be asked to open/download, delete users, dump a list of all users...

Fixing this has been at the bottom of the todo list for months, and no one seems to care, no one is assigned to it. When it's brought up people are like "ooh yeah that's like really really bad, but what about [tiny useless feature than one user asked about]?we don't have the time to fix that!"

Hundreds of employees passwords for what's AFAIK our largest client, are stored in PLAINTEXT.(same story as the vulnerability, bottom of the todo list, no one cares)

Oh, and did I mention that any logged in user can call almost any API endpoints with almost zero verification that he's allowed to call them?

Those 3 issues are still there after months even though everybody is aware of them.

Would you just get the hell out without looking back? or keep trying to improve stuff even when it takes months to just get them to care enough to start maybe thinking about assigning a dev to a problem?

How is it at your current/past companies?

Thanks

  • by metadat on 8/25/22, 2:43 AM

    No, this isn't normal in my considerable experience. What you are experiencing signals that something is fundamentally lacking in the thinking and prioritization of the leadership.

    The unfortunate reality is the class of companies called "startups" only requirement is that someone convinced someone else to give them money, and now they're the boss. This can lead to all sorts of things.. like what you're seeing.

    I'd bail to somewhere else with more professional leadership. Even if this one instance gets fixed, the deficit is indicative of a cultural problem that I've not yet seen ever really change.

    Not taking the security of your customers seriously is guaranteed poison in the medium to long term.

  • by aintmeit on 8/25/22, 3:11 AM

    Unless your company is doing things on the level of trafficking minors or racketeering, then the information that comes out will be run-of-the-mill oopsies. Having worked a bit in DevSecOps, I can tell you that storing clear-text passwords in places like version control files is much more common in companies than anyone would hope. Also, auth is just hard, in part because it forces servers to be stateful.

    Because companies have a wide range of options for dealing with the consequences of leaks, they'll prioritize security last instead of shifting left. Some common responses by companies include:

    - denying there's a problem

    - covering up the problem

    - acknowledging the problem in a blog and demand to be praised for the disclosure

    - blaming employees for the mistake

    To make a good plan, you can break down concerns piecemeal. What's the worst case scenario if attackers get a hold of employee passwords? What happens when users trust tampered content?

  • by raffraffraff on 8/25/22, 6:02 AM

    In my experience, start-ups play fast and loose with all sorts of things like security, data integrity etc. It's how they can quickly build a service an offer it to larger companies who would never get it done due to internal management inertia, politics, architecture reviews, project management, processes, audits, controls and regulations. However, it shouldn't be "that" bad. For example, I worked at a start-up that successfully made it to $8+b valuation, and they had tons of extremely scary shit. But generally when someone found a critical issue, everybody sighed, rolled up their sleeves and fixed it. Because a security breach, data leakage or data loss that is caused by such negligence is a company extinction event for a start-up. These guys are playing Russian Roulette. Get out before the inevitable occurs.

  • by giantg2 on 8/25/22, 1:30 PM

    "Is it the norm for companies/startups to not give a damn about security?"

    More or less, yes. They generally talk about security, but it's mostly just lip service. Although I will say your examples are pretty extreme.

    I once worked on a team as the security champion for a major financial system the company uses internally (thankfully) for trading. There was a problem with SQL injection on every page/input we built in that system. And it had schema owner privileges, so you could drop tables and stuff. This is a possibility to happen by accident since there are trade desk devs who could have a tablename collision and accidentslly paste SQL into a field, let alone the malicious possibilities

    I brought this up with the principle to see which of the two remediation plans he wanted to pursue and what resources he would provide me with for the work. Apparently they wanted to go with their own option of do nothing. They said there's an automatic backup of the database in near realtime (forget the name). Would it duplicate dropping tables? How far back can you restore? Has it ever been tested? What are the procedures for restoring? How long to restore (even a 15 minute outage is the end of the world according to the business)? They didn't know any of it, and they didn't really care to.

    I promptly left that team. They just wanted a security champion to do paperwork for regulatory compliance. I had no real power to make improvements beyond the smaller stuff could do myself.

  • by zivkovicp on 8/25/22, 8:25 AM

    Your examples seem pretty extreme, and I would say they are definitely not normal. I'd guess the leadership and engineering quality at this company is sub-par and they probably don't even realize the extent of the problem.

    With that said, my experience is that security issues get taken care of when they are very dangerous, or only after the main product tasks get done. Fixing minor issues in a (NEW) product/company that might not survive the year is a comparative waste of time... survival comes first usually.

  • by speedgoose on 8/25/22, 4:44 AM

    It sounds like you care, not no one, so you could assign yourself to these issues and fix them. It’s easier to ask for forgiveness than permission.

    If you can’t do that, or people get upsets because you did, you should probably start looking for a better job.

  • by herbst on 8/25/22, 7:23 AM

    I worked in a etablished PHP shop that only worked with middle sized to big companies. There was no security other than the default options shipped with the used products.

    I guess it's less about startup culture but more about bad culture in general.

  • by powerhour on 8/25/22, 4:47 AM

    I haven't experienced anything this bad. I've seen security lapses and have been able to fix them on my own or with a team, and I don't remember ever getting pushback.

    It's probably time to start interviewing. Ideally before your employer's security woes become headline news. (Of course, if you've only been there a few months you can easily leave them off your resume once word of the flaws gets out.)

  • by oreally on 8/25/22, 5:19 AM

    Without laws, companies are more concerned about their bottom line before user security. And you can't blame them for that - people would rather put food on their table after all, vs something that's going to slow you down or at most cause something that causes less damage then you think.

  • by muzani on 8/25/22, 8:54 AM

    This seems to happen more in B2B startups in my experience. I think it's because there's just more blind trust in B2B, and the success bar is a little lower than B2C. I worked at a company which was testing on production, didn't use source control. They messed up hard and frequent with critical customers, including a major media company that could have slandered the hell out of them.

    That company still didn't die and are popular in the community. Natural selection applies in the business world, but some startups really are the cockroaches of the world.

    That said, it's not common. It happens in maybe 2-3 jobs out of 10. Often these are the guys who say yes to everything the customer asks for, which puts them in a peculiar niche.

  • by lasereyes136 on 8/25/22, 12:29 PM

    Many will justify it as we will be lucky to survive and grow to a point where a security incident will be a problem.

    AppSec is never the most important thing on any product manager or product owners list. No one says AppSec isn't important, just other things are more important. Sometimes the best you can do is talk them into letting the people that care dedicate some of their time to fixing security issues. While it seems bad, if this is a product or company you care about, working to make it better makes sense. You also might consider adding security concerns into requirements, acceptance criteria, and code reviews (if you have those) to stop it from getting worse.

  • by superchroma on 8/25/22, 3:56 AM

    Yes and no. They'll throw a big wad of cash at some provider to get some badly hacked together SSO auth and endpoint monitoring solution but then release insecure garbage running on an ancient copy of android, debian or whatever.

  • by msarrel on 8/25/22, 8:12 PM

    Yes. Startups are deeply focused on revenue. Developing security for a product is considered "extra" and "nice to have", not essential. That goes double for operations. I have never seen a startup actually practice security unless in preparation for an audit.

  • by sergiotapia on 8/25/22, 6:50 PM

    No, in 15 years working I haven't seen anything of that magnitude be ignored. You seem to have found a really bad organization. Something that large always was a drop everything and assign one person to fix it immediately kind of thing.

  • by gitgud on 8/25/22, 8:31 AM

    Some things at certain scales are just not the main priority.

    This means security might not be valued, but that is a risk the business is taking in order to more resources towards the multitude of problems start-ups face...

  • by zach_garwood on 8/25/22, 3:04 PM

    I wouldn't say it's abnormal -- startups are in a constant state of SNAFU (situation normal: all fucked up) -- but it's definitely not acceptable.

  • by aprdm on 8/25/22, 5:31 AM

    I would say that it isn't normal and it seems pretty bad.

  • by danielmarkbruce on 8/25/22, 4:05 AM

    Out of interest, why haven't you fixed it?

  • by mountainriver on 8/25/22, 3:01 PM

    Yup “security third” is a very real idea, most startups don’t have time to worry about security much, they have to get a product launched

  • by dev_0 on 8/25/22, 2:59 AM

    Yes even big companies don't care about security.... it's all facade and compliance

  • by GentWhoCodes on 8/25/22, 9:47 AM

    Obligatory GDPR

    Poorly securing personal data in the UK/EU is rather illegal. So no, any reputable shop *will* care about security, ensuring personal data is kept secure and bugs patched as a priority.

    Going up the food chain, "huge clients which you all heard of, multinationals, some parts of governments" will not be impressed if you are found to be slack when it comes to leaking customers data.

  • by cpach on 8/25/22, 11:44 AM

    This sounds very bad and not normal. I would resign ASAP.