Did you spend 0% of your website’s budget on security?
What about your new web application, new API, or even your new e-commerce store?
We’re talking about independent security testing, auditing and verification, rather than the things your developers did (or apparently did) in terms of security.
Be honest. You wouldn’t be alone.
We work with a lot of developers, development shops, and founders, and we understand how things are. The competing pressures that are placed on budget and time, that come from a variety of places. We understand how busy web app developers typically are, and how many ventures are already stretching their project budgets well beyond what was originally planned. So there’s no judgement here – just experience and some suggestions.
Because we also see first-hand the pain, stress and ultimately the cost associated with security incidents, even for a marketing website that contains no customer information or other private or secret information.
We’re not keen to FUD* you – we’re just quite familiar with what shooting the gap on proper security verification can look like. And allocating 0% of your web development project to security verification is very much shooting the gap.
What we see that works well is when founders, product owners, or even developers put their hand up early in the project planning lifecycle and argue for independent verification as a key and intentionally scheduled part of the project. When everyone is racing for the line to meet all the other project demands, it is too easy to delay (often indefinitely) the verification piece.
All web sites and applications have vulnerabilities, of one sort or another (we’ve literally never, ever tested one that doesn’t). New ones that are under product launch deadlines typically have many, and the worst ones. That’s why independent security testing by experienced penetration testers is an essential part of a successful, low risk product release.
If this key step is a fundamental part of the project, is budgeted, and is scheduled for just the right time before product launch, that relatively small, non-0% part of the project budget will pay off not just through reduced stress and risk at launch time, but ongoing confidence in the security and stability of your cool new product.
* that’s fear, uncertainly and doubt for those lucky enough to have avoided it so far