Tech startups need to get serious about security

Federal Trade Commission chair takes her message about security by design to the Bay Area, urging young companies not to let the rush to market overshadow critical consumer protections.

The head of the nation's primary consumer protection agency on Wednesday paid a visit to San Francisco, where she called on technology startups to do a better job of incorporating security protections as they race to bring new applications into the market.

Federal Trade Commission Chairwoman Edith Ramirez's comments amplified the agency's "Start With Security" initiative, a program that aims to encourage businesses to prioritize cybersecurity as an integral part of their product development.

[ Related: The 7 deadly sins of startup security ]

That effort is geared toward businesses across industries, though on Wednesday Ramirez was speaking directly to the tech world. In a remarkably short period of time, firms in that sector have introduced a galaxy of apps that help people chart their fitness, manage their money and communicate with their doctors and nurses, Ramirez noted. But with each new tool that collects or relays sensitive information, the security threats mount.

"The software revolution has left little untouched with tremendous benefits to consumers and society as a whole," Ramirez said. "But, in a world where everything is connected, insecure products and services can have significant consequences."

Ramirez emphasized the collaborative relationship the government is seeking to kindle with the tech industry as a partner in promoting security.

"Startups are not only an important engine of growth in today's economy, but also crucial partners in our efforts to keep our marketplace secure," Ramirez said.

Relations between the government and the tech sector have been strained following the revelations of the intelligence community's sweeping information-collection programs by former National Security Agency contractor Edward Snowden. In response, firms like Google and Apple have been working on strengthening their encryption features in an apparent effort to prevent the feds from accessing their systems, steps that top intelligence and law-enforcement officials have protested.

[ Related: Law enforcement backdoors open corporate networks to criminals ]

Ramirez did not address that dustup, but instead focused her remarks on some of the cultural and practical challenges that can put security on the back burner at fast-growing, cash-strapped startups.

She is calling on the tech community to embrace what is sometimes referred to as security by design -- the idea of incorporating some core security features at the earliest stages of development.

"In the rush to innovate, privacy and security cannot be overlooked, even in the fast-paced startup environment," Ramirez said. "Think about privacy and security as you design your product. Embed it into the development process."

[ Related: Snapchat Breach Seen as Startup Growing Pains ]

FTC publishes guide with security tips for businesses

This week the FTC published a guide for businesses (available in PDF format here) that outlines a number of security tips drawn from the more than 50 cases the agency has brought against firms involving data practices.

The FTC notes that each of those cases ended in a settlement outside of court, and the particulars varied from one case to another, but certain common shortcomings in the companies' security frameworks emerged. For instance, the agency is urging firms to place sensible access controls around the data they collect, to mandate the use of strong passwords, and to ensure that the third-party vendors they work with have reasonable security policies in place.

Ramirez is also appealing to tech startups to conduct threat assessments early on and in circumstances that will simulate how the application will function in the wild, effectively trying to hack their products before bringing them to market to ensure that the security features function as they were designed.

"Evaluate your product in scenarios that replicate how consumers will use it in the real world," Ramirez said. "Often there are financial incentives to rush to market, but make sure your security is ready before you launch."

Then, once the product is live, startups must remain vigilant about security issues as flaws are discovered and new threats emerge. Ramirez suggests that firms consider setting up a bug bounty program or designating a point person to serve as a liaison to the security community, someone researchers can contact when they discover a vulnerability.

"Bugs are inevitable," she said, "and when flaws are discovered, companies must have effective strategies for managing, addressing and learning from vulnerability reports."

Join the CSO newsletter!

Error: Please check your email address.

More about AppleFederal Trade CommissionFTCGoogleNational Security Agency

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts