Developers June 15, 2020

Why don't indie hackers care about security?

rab

There's been a couple of posts from members recently reporting security breaches on their website / app.

  • One saw a malicious user delete other accounts with no database backup.
  • Another told a story about a "Russian" who "hacked" their system with an (open source) cross-site scripting test.

Both of these are pretty shocking to me.

Security is difficult. No system is 100% secure. But to any security expert these examples really are first page stuff which suggests some indiehackers need help.

Questions

Why aren't IH members taking security seriously?

How can we help more IH members take security seriously?

What advice / tools / services exist to help?

  1. 7

    I think it's a combination of risk-reward and lack of knowledge. It's very unlikely to get hacked and if you do, being at a very starting level you don't lose that much. You are still affected, but you can recover. Securing everything requires some knowledge and effort to implement.
    Also, a lot of indie hackers are focused on building, rather than making things robust and impenetrable. I still take into account security, of course, I have backups and implement the minimum necessary to secure my apps, but after a certain threshold, you encounter diminishing returns (especially in the low level CVE/exploit area, where you can't really defend yourself except keep your stack as up-to-date as possible, because there are a very wide range of vulnerabilities.
    But yeah, at least have daily backups, strong passwords, services not exposed publicly if they don't are client facing (or at least having the firewall block unauthorized traffic). This requires relatively low effort and allows you to sleep better at night.

    1. 2

      I was just about to type something similar - well put.

      In addition, I'd add that most full-stack frameworks now, like Laravel & Rails, are pretty secure by default. As in they embed basic security concepts inside their default way of doing things. For example, Laravel won't let you submit an HTML form if you forget to add a CSRF token.

      Also, my approach to security is that the level of it should scale with the level of use (and income) your product is making. Are you just starting out and trying to get your first paying customers? Maybe spending a week on security isn't that important. Are you serving 10,000 users, each of who is paying you a monthly subscription? Perhaps invest a bit more into making sure their data is secure.

      1. 1

        Yep frameworks usually offer good support. One of the errors cited was using a well-known framework + REST library so unfortunately not a panacea. Just wonder how much this stuff is on people's radar.

    2. 1

      Agree with your "risk-reward" but given we are talking about such a basic level of security then "lack of knowledge" probably explains it. There must be a basic tutorial somewhere that explains what to check and why.

  2. 1

    I think many of us are just unaware of the risks. Plenty of IH's are learning to build as we go, and our attention is primarily on making the product "work." Security, clean code, doing things the "right way," etc. would be great, but we're in an "I don't know what I don't know" situation.

    1. 1

      Don't get me wrong - security is almost a bottomless subject & you would not be able to cover it all. I think a basic level is wise though am trying to see the "no security til viable" argument but frankly would be embarrassed if suffered problems cited in OP.

  3. 1

    Many indiehackers are in the early stage.

    When a product is not making money or there are very few users, security is not important because only robots visit the site. This is the reason.

    When will the company take security seriously? When the companies passed pmf, the risk is getting much higher.

    Think about when gitlab deleted the db accidentally, the company took it seriously cause it's causing them pain. Lost a lot of money.

    Security is like insurance. When you see that someone nearby has a tragedy, you will take it seriously coz you will probably be the next unlucky guy.

    1. 1

      Hi. You just saw someone nearby have a tragedy.

  4. 1

    Yes, +1 on all the posts here.

    I've asked a number of indie hackers and entrepreneurial college students about this exactly. There are a couple common elements in all of the answers:

    • "I'm too small to be a target."
    • "We're just trying to validate the product/market."
    • "I used XYZ framework, so it does it for me."

    For the most part, these viewpoints are actually correct! At the early IndieHacker stages, security is usually not the most important thing to be spending time on. It really sucks to see someone small just validating an idea have their website get attacked.

    The only thing I ever tend to caution against is the 3rd viewpoint. Many people assume they're safe because they use some popular, well-known, open-source framework. This couldn't further from the truth. Some frameworks are bit better than others with security practices, but no framework can prevent you from doing something silly. Unfortunately popular tends to be an easy stand-in for secure.

  5. 1

    Indie hacking is pretty overwhelming. Even without the product security aspect. I'm not surprised people choose to focus on the building, because security is a separate domain entirely that requires research and effort to implement. I'd put it into the same bucket as UI accessibility. Ideally we would have everything covered, but there are only so many hours in a day.

    As far as advice goes in case anybody needs some pointers on NodeJS security, you can check out this article I wrote on the topic.

    It should give you a head start and help digest some security jargon.

    1. 1

      Hi. I think only experts will be able to follow your deep dive article.

Recommended Posts