So you're part of a fancy new startup. You have fancy new equipment, and fancy new friends. There's a fancy office with other startups who also have varying degrees of fanciness. What is this new thing you have to be concerned with again? You know, that thing hovering over your head like a drone with low batteries about to swan dive through your cranium? Yes, it's the potential money pit known as security.
Capital is scarce in the startup environment, especially for security due to the emphasis being on getting a product to market. Lately, I've seen a larger push from early investors for their startups to keep more equity in the pool. This takes one of the juicier reasons for a good security person to work with you, for lower-than-normal pay, off of the table. Some of the savvier investors are even requiring *ahem* security reviews of the companies/products they bankroll. Perish the thought.
Here are some suggestions that can help you balance your scant budget with your security needs.
#1 Put the cost of security up front
Try to have someone on retainer instead of a full hire. Do an initial session for a pre-negotiated rate where you lay out everything your product or business does. A good security veteran should be able to put together a notional outline of all the policies and procedures you will need to stay out of trouble. Barring that, they can probably point you to someone who can. Once you are comfortable with the information gathered via Googling or further consult, you have a couple of options. Either pay your existing contractor to flesh out the documentation and stand-up some basic infrastructure, or shop around for a better deal. Putting the policies and procedures for the security of your business/product up front allows your developers and early administrative hires to know what is expected of them. Speaking of developers knowing what is expected of them...
#2 Always separate testing from production.
Do not let your devs operate on the production systems. You don't need to spin up costly AWS instances to create a bastion on which to test. Use lower cost solutions where up-time isn't 5 9's or cobble together some refurbished workstations to get the job done. If you have to cram all of your creative needs into one small group of betrodden individuals, make sure their eventual screw-ups don't take down the production servers. It's probably a good idea to have stricter control over the credentials to all things production as well. Some of those you hire may not be as keen on later decisions you have to make. Use your own imagination on what could happen there. Development costs mad loot, but losing investment capital on a bungled push or vengeful colleague costs crazy mad loot. Crazy mad loot being equal to the entire balance of your credit cards, mortgage, grocery money and corporate account - mathematically speaking. Not only is this division good development practice overall, it leads ever so gently into...
#3 Tackle the low hanging fruit with a bug bounty program.
If you have exposed web services, or a downloadable app, put some bounties on those puppies. Dedicate a few grand to standing up a bug bounty program. It's cheaper to 1099 a security guru to outline a bug bounty program than it is to have a full time reverse-engineer or seasoned code-reviewer. Pay a small retainer to someone experienced who can assign which class of vulns qualify for what level of payout. Have them write down specific guidelines for when you get multiple submissions for the same bug. Ask them to break down the payouts into how helpful the researcher who found the bug was. If they give you a full PoC with patch, give them the max. If you find someone who reports a flaw, but no assistance in reproducing it or a fix, give them considerably less. Depending on the complexity of your system/app, five grand worth of bounty funds could be well worth six-figures of full-time expertise. You'll never catch everything, at least this way you can catch the obvious. BugCrowd and ExploitHub exist for a reason. Use them to lower your vuln discovery costs.
#4 Keep the fridge stocked (bonus since it is not just related to security...maybe security-tangential)
Do you have any idea how far $500 at Costco can go production-wise? There's a reason Google has a cafeteria and places to play games. They keep the smart people at work longer. I am much more inclined to work an extra 10 hours a week if there's Monster in the fridge and Hot Pockets in the freezer. Try the following experiment sometime (not that I support human experimentation ESPECIALLY of the developer kind). Check the commits when you've exhausted your snacking reserves versus a post-Costco spendfest. Go ahead, do it. I won't tell if you don't. By the way, when you check the commits do not just check the count. Not all fixes are the same. I've seen one-liners that took a week to figure out while fifty lines was shat out in one jam session. All due to the fact that one was buried beneath a million rock layers of abstraction and the other was an easy feature request.
P.S. I know #2 was hard on devs, but I'm hoping you'll read into this piece that I mean all devs to include the founders/head-honchos if they are also the ones doing the development.
-vesh
Wednesday, April 20, 2016
Saturday, April 2, 2016
Rethink Your Business Models if Piracy is a Concern
Certain products and items are easily copied in this day and age. Instead of whining about how so and so stole my intellectual property, let's look at the list of the serially offended to see where the problem really lies.
Movies
Television
Music
All of the above are parts of a studio system where a few major production companies, through copyright abuse and various other IP laws, exist solely because they are protected by law. Is it really sensible that someone ought to be paid, perpetually or almost perpetually, for something that requires a team of lawyers to ensure their income stream? They should absolutely be paid for their investment in the artist, i.e. marketing and studio time, but can't they do that by just taking a percentage of the artist's earnings instead?
I apologize to the actor or artist that they may actually have to do some work post-writing through acting or performing live. I know this screws up the dynamic of being able to write a good song or create a good show, and then watch as the replays earn you money. For 99.9% of the other industries out there, we don't get paid for the work we already did. If I built a car today, I have to build another one tomorrow in order to get paid. I don't have to pay Honda every time I use their car. Nor does Honda get any revenue from when I sell my car or give other people a ride in it. Jay-Z, though, wants a cut every time I play "Big Pimpin'".
The right way to do this is for the musician to show up to a venue and charge money to hear them live. Do not expect someone to pay you for something I can copy with two mouse-clicks. In the real world, I have to actually piece together a house. If I want another house, I have to piece that one together too. There was a considerable amount of real work done to recreate that house. For a house blueprint, on a computer, I simply Ctrl+C then Ctrl+V to make a copy. See how labor went into one effort, but not the other.
What would a system without any type of piracy laws look like. For starters, large studio systems would not exist. Musicians would have to actually do concerts and sell merchandise to generate serious money. I believe several friends of mine who perform professionally would acknowledge that the bulk of their revenue comes from merchandise and live performances. Software companies already go to great lengths to protect their products. There are several licensing companies who exist solely to prevent unauthorized (unpaid) use. This system prevents 99% of the market from pirating their copies.
I apologize if this means that we as individuals are going to have to be more market savvy on what people are willing to pay versus taking the easy road of DMCA take-downs and other threats. However, if you are always producing something tangible, a live concert experience, new features, etc. you will always have buyers if the price is right. Don't get swept up in Intellectual Property protectionism. It is very easy to lay back and let the lawyers do the work. Do you really want to your income dependent on subpoenas? A system reliant upon laws to support their business activities is a business which should never have existed.
Movies
Television
Music
All of the above are parts of a studio system where a few major production companies, through copyright abuse and various other IP laws, exist solely because they are protected by law. Is it really sensible that someone ought to be paid, perpetually or almost perpetually, for something that requires a team of lawyers to ensure their income stream? They should absolutely be paid for their investment in the artist, i.e. marketing and studio time, but can't they do that by just taking a percentage of the artist's earnings instead?
I apologize to the actor or artist that they may actually have to do some work post-writing through acting or performing live. I know this screws up the dynamic of being able to write a good song or create a good show, and then watch as the replays earn you money. For 99.9% of the other industries out there, we don't get paid for the work we already did. If I built a car today, I have to build another one tomorrow in order to get paid. I don't have to pay Honda every time I use their car. Nor does Honda get any revenue from when I sell my car or give other people a ride in it. Jay-Z, though, wants a cut every time I play "Big Pimpin'".
The right way to do this is for the musician to show up to a venue and charge money to hear them live. Do not expect someone to pay you for something I can copy with two mouse-clicks. In the real world, I have to actually piece together a house. If I want another house, I have to piece that one together too. There was a considerable amount of real work done to recreate that house. For a house blueprint, on a computer, I simply Ctrl+C then Ctrl+V to make a copy. See how labor went into one effort, but not the other.
What would a system without any type of piracy laws look like. For starters, large studio systems would not exist. Musicians would have to actually do concerts and sell merchandise to generate serious money. I believe several friends of mine who perform professionally would acknowledge that the bulk of their revenue comes from merchandise and live performances. Software companies already go to great lengths to protect their products. There are several licensing companies who exist solely to prevent unauthorized (unpaid) use. This system prevents 99% of the market from pirating their copies.
I apologize if this means that we as individuals are going to have to be more market savvy on what people are willing to pay versus taking the easy road of DMCA take-downs and other threats. However, if you are always producing something tangible, a live concert experience, new features, etc. you will always have buyers if the price is right. Don't get swept up in Intellectual Property protectionism. It is very easy to lay back and let the lawyers do the work. Do you really want to your income dependent on subpoenas? A system reliant upon laws to support their business activities is a business which should never have existed.
Subscribe to:
Posts (Atom)