When to start caring about cybersecurity?
Hello Everyone
I wanna ask while running a Saas business when do you exactly care about cybersecurity and what are the ways anyone implements it.
Hoping for insightful Answers :)
Trending on Indie Hackers
Hi there, 👋
That's actually a good question, to answer your question, "NOW". Yes, the right time is now. While running your business you should also aware of the security of your product. You should have at least a security policy which is where to report if a bug found on your product.
You should have a data backup of your business, you should have anti-malware installed on your workstation, and also don't click any suspicious links. This one is for your online security. How about your product? Well, you need to hire someone who can code your SaaS product securely, or at least you need someone to pentest your product to test the security. Actually, writing secure code is enough if you don't have a large budget.
In an addition, there are free tools on the market to try and test your SaaS product if it is coded in a secure way. Look for Snyk, StackHawk, OWASP ZAP, and many more.
If you have other questions about cybersecurity just hit me up. 😊
When you have something to protect, otherwise you are just wasting your time and money on nothing. Unless you are turning a profit, or have compliance requirements, or a specific reason to secure your application then it's a waste. Until you reach that point, all funds at that point should be going towards getting cash flow positive and creating something worth protecting. If you get hit with an attack before then, just close down the business and walk away knowing it was part of the risks involved.
Good question! I would say that the first thing to do is to make sure you use a modern web framework that will take care of the most common security concerns.
Then, it will depend on what your SaaS is about: if you are handling money or savings is very different than if you are offering a newsletter. In the first case I’d hire a security specialist and in the second case I’d rely on the framework‘s security.
Good luck!
You have to understand the common attack types (SQL injections, XSS, CSRF, etc.) really well before you start coding anything serious. Don't ever put insecure code online, internet is not a friendly place in that regard.
Also, depending on your hosting type, make sure that you understand the infrastructure you're using, bad configuration can easily result in a security nightmare.
Right from the start. I won’t write insecure code.
One of the biggest advantages of the SaaS industry is the possibility to go global from the start.
Whether you’re looking to expand in a particular country or more of them, you need to stay on top of the latest regulations to remain competitive.
Find out if your company is following the international standards with this complete SaaS compliance audit checklist: https://bit.ly/3lqeM2D
Good question, you should CARE from the start.
Caring is one thing, but implementing best practices is another. What I like to do is during development is keep in mind the OWASP top 10 and if you're working by yourself at an end of a development phase review your architecture and understand the point that's might be exploiting and explore ideas on mitigating them, STRIDE is a good practise here.
I'll end on a blunt note, if you're cutting corners on purpose making your app insecure out of negligence in order to get something released then you need to get help or understand this space abit more before releasing something. Now if you don't know, that's okay! But if you do and you're choosing not to mitigate then that's a massive problem!!
Again great question, I really hope this helps :)
Even very good programmers make mistakes and don't guarantee safety. Therefore, you need to take care of cybersecurity every time. Any changes to your code may create vulnerabilities, so it's better to scan it often and follow the practical prevention tips.
Hi @PhpSecure So is there any framework which you use to follow the tips or any scanner
You should really have that mindset right from the very start, as almost everyone here has said.
On a practical level, you have to build in gateways and switches into your system that you can trigger fairly quickly if there is a problem. At the very least, you should have functionality that enables you or your support team to immediately shut down any user account that behaves suspiciously. You should also curate email addresses of new signups and possibly reject those coming from invalid or throwaway email addresses.
You should also have functionality to shut down parts of your app should you detect odd activity, such as limiting sending our of emails or disabling new registrations if you are getting hit by lots of bot signups designed to bring your service to its knees etc.
Also, make sure your app and database servers are all only accessible via a particular VPN etc. and do routine server maintenance and shut down any ports that are not needed, or limit them to only being available via your VPN (i.e. SSH ports etc.).
Also, look at having your service behind a reputable CDN network that has built in features to limit or prevent DDoS attacks.
Don't impede legitimate users, but always have a fallback plan that will help you to stop bad actors from abusing your service.