Tech startups need to get serious about security
- 10 September, 2015 20:08
The head of the nation's primary consumer protection agency on Wednesday paid a visit to San Francisco, where she called on technology startups to do a better job of incorporating security protections as they race to bring new applications into the market.
Federal Trade Commission Chairwoman Edith Ramirez's comments amplified the agency's "Start With Security" initiative, a program that aims to encourage businesses to prioritize cybersecurity as an integral part of their product development.
[ Related: The 7 deadly sins of startup security ]
That effort is geared toward businesses across industries, though on Wednesday Ramirez was speaking directly to the tech world. In a remarkably short period of time, firms in that sector have introduced a galaxy of apps that help people chart their fitness, manage their money and communicate with their doctors and nurses, Ramirez noted. But with each new tool that collects or relays sensitive information, the security threats mount.
"The software revolution has left little untouched with tremendous benefits to consumers and society as a whole," Ramirez said. "But, in a world where everything is connected, insecure products and services can have significant consequences."
Ramirez emphasized the collaborative relationship the government is seeking to kindle with the tech industry as a partner in promoting security.
"Startups are not only an important engine of growth in today's economy, but also crucial partners in our efforts to keep our marketplace secure," Ramirez said.
Relations between the government and the tech sector have been strained following the revelations of the intelligence community's sweeping information-collection programs by former National Security Agency contractor Edward Snowden. In response, firms like Google and Apple have been working on strengthening their encryption features in an apparent effort to prevent the feds from accessing their systems, steps that top intelligence and law-enforcement officials have protested.
Ramirez did not address that dustup, but instead focused her remarks on some of the cultural and practical challenges that can put security on the back burner at fast-growing, cash-strapped startups.
She is calling on the tech community to embrace what is sometimes referred to as security by design -- the idea of incorporating some core security features at the earliest stages of development.
"In the rush to innovate, privacy and security cannot be overlooked, even in the fast-paced startup environment," Ramirez said. "Think about privacy and security as you design your product. Embed it into the development process."
[ Related: Snapchat Breach Seen as Startup Growing Pains ]
FTC publishes guide with security tips for businesses
This week the FTC published a guide for businesses (available in PDF format here) that outlines a number of security tips drawn from the more than 50 cases the agency has brought against firms involving data practices.
The FTC notes that each of those cases ended in a settlement outside of court, and the particulars varied from one case to another, but certain common shortcomings in the companies' security frameworks emerged. For instance, the agency is urging firms to place sensible access controls around the data they collect, to mandate the use of strong passwords, and to ensure that the third-party vendors they work with have reasonable security policies in place.
Ramirez is also appealing to tech startups to conduct threat assessments early on and in circumstances that will simulate how the application will function in the wild, effectively trying to hack their products before bringing them to market to ensure that the security features function as they were designed.
"Evaluate your product in scenarios that replicate how consumers will use it in the real world," Ramirez said. "Often there are financial incentives to rush to market, but make sure your security is ready before you launch."
Then, once the product is live, startups must remain vigilant about security issues as flaws are discovered and new threats emerge. Ramirez suggests that firms consider setting up a bug bounty program or designating a point person to serve as a liaison to the security community, someone researchers can contact when they discover a vulnerability.
"Bugs are inevitable," she said, "and when flaws are discovered, companies must have effective strategies for managing, addressing and learning from vulnerability reports."