← Back to blog
The biggest security concern for startups is, it’s not a priority

The biggest security concern for startups is, it’s not a priority

authors photo
Written by Dante Lex
Tuesday, June 27th 2023

Software is inherently about managing data, so selling a software product requires you as a founder to convince potential customers you can be trusted with their data. The reality, however, is that growing a startup is a prioritization game, and security is often overlooked. This is something we witness every day at Onboardbase: if your team consists of 3-5 people, it’s unlikely you are doing everything to safeguard your customer data―smaller companies spend less than $500 per year on security, while 50% of large enterprises spend at least $1 million per year! You’re probably not reviewing third-party code, actively following and monitoring security news, or you can’t afford a security audit.

In the following article, we explain psychological and financial reasons why startup teams don’t put as much effort in their security as they do in their product and what they can do to fix it today without breaking the bank. Make sure to share the link with your colleagues!

Why Cybersecurity Is Important For Startups

An obvious reason to invest in your cybersecurity is the cost of a data breach―$4.35 million per data breach on average, double that if your company is based in the US according to IBM. Cybersecurity not only drastically decreases attack risks, but also helps you recover much quicker if a hacker manages to break your system: fixing a data breach in less than 200 days can save $1.12M on average.

A security breach can happen to anyone. A study by Cisco showed that 56% of all organizations have experienced a security breach in the past year, and attackers do not spare startups. In fact, TechCrunch features data breach stories almost every week! Even though you might be tempted to think it can only happen to big companies, reading the post mortems tells you otherwise: whether it’s a leaking Git repository or a tricked employee, it only takes a single bad day.

As we explained in the introduction, retaining the trust of your customers is essential as a tech startup because your main job is to manage data! When a company like LastPass gets breached, you think twice about staying around: after December 2022 when the attacks reached their peak, searches regarding “lastpass alternative” soared on Google Trends.

Though the impact on revenues is uncertain, we don’t wish on anyone to go through the same situation! Startup founders tend to think of security as a blocker and an unnecessary expense, but it’s quite the contrary: it’s what enables you to keep your team’s morale up and stay on course throughout the years! The negative perception people might develop regarding security best practices originates from psychological biases―to name a few:

  • Optimism bias - Overestimating the probability of positive outcomes and underestimating the probability of negative outcomes like data breaches.
  • Overconfidence effect - Excessive confidence in your own skills that leads to underestimate risks.
  • Framing effect - The way information is presented influences how individuals perceive and make decisions about it. Learning more about cybersecurity is important to open your mind to its benefits.
  • Normalcy bias - The tendency to underestimate the probability of a crisis by assuming things will continue to work normally as they have in the past.
  • Sunk-cost fallacy - When dev teams continue investing resources into a project or decision based on the cumulative investments they have already made instead of considering the potential future costs and benefits. Typically, we often see startups roll out their own security systems, even though the impact of productivity is disastrous.

Whatever your position is toward cybersecurity, it’s important to regularly take a good look at what you do and plan accordingly. Read till the end to get a quick overview of where to start.

What Matters To Secure Your Startup

Security is about risk management: you need a trade-off between protecting your data and keeping your team profitable and fast. You can obsess about making your code perfect, implement all the best practices, and pass every security certification out there. But ultimately, a startup needs to keep growing.

Though we already explained that cybersecurity is not an obstacle to growth, there are elements to prioritize to protect your customers’ interests while increasing your team’s productivity. This is what we explain in the next section. For a deep dive on common threat models startups usually face, don’t hesitate to read our dedicated article on the state of startup cybersecurity.

8 High-Priority Tickets To Add To Your Backlog Today

1. Outsource security to cloud providers

When it comes to software infrastructure, it’s almost always preferable to go with cloud providers: security misconfigurations concerning 208k websites tested by OWASP! Whether we are talking about identity management, payments, or server management, a dedicated cloud provider will save you months of work and big headaches if anything goes wrong with your DIY solution.

In the case of core web development tools that cannot easily get delegated entirely, like Github repositories, SaaS, or CLI tools, automate things as much as possible to reduce attack surface. For example:

  • Use a CI/CD pipeline - Automated deploys remove potential tempering.
  • Use Onboardbase to inject environment configurations - Instead of configuring app secrets manually and opening yourself to errors, let a secret management tool like Onboardbase do the work automatically.
  • Install vulnerability scanners - Leverage tools like Github’s built-in vulnerability scanner to catch problems before they happen.

Even recently, Toyota exposed sensitive information from 300,000 customers by leaving an access key in a GitHub repository for almost five years. With a solution like Onboardbase, you can say goodbye to environment files without sacrificing your team’s productivity: just use the onboardbase init command to secure all your secrets in 5 minutes.

2. Secure your secrets

Effective secret management ensures that sensitive information like encryption keys, API tokens, and credentials, remains inaccessible to unauthorized individuals.

  • Implement strong encryption - 234k websites tested by OWASP presented a critical vulnerability in their encryption system, and storing your secrets unencrypted can quickly backfire. Using a tool like Onboardbase is important to secure your encryption keys as well. Our security guidelines conform to a zero trust architecture, using AES-256 encryption at rest and a combination of AES-GCM and RSA encryption in transit.
  • Ensure secure secret sharing - If you need to share secrets with a colleague, use Disposable―it’s a chat-like web app we built to share sensitive information securely and quickly with end-to-end encryption and automatic deletion.
  • Regularly rotate secrets - Implement a secret rotation policy to regularly update and refresh your encryption keys, API tokens, and other sensitive credentials. By periodically changing secrets, you mitigate the risk of long-term exposure and unauthorized access.

For more information, check out our article on secret management.

3. Monitor your stack

Security monitoring involves the use of tools to track real-time HTTP traffic and performance and identify anomalous patterns that may indicate a potential security breach. Without proper logging and monitoring, breaches can go unnoticed and leave startups vulnerable to potential threats.

  • Log all events - Monitor login attempts, access control failures and input validation errors, and include sufficient information to identify suspicious accounts.
  • Set up alerts - Configure real-time alerts to quickly detect and respond to suspicious activity.
  • Establish an incident response plan - Create a robust plan to effectively handle security incidents―who should be notified, where, how. It’s important to not panic and foster a culture of openness and shared responsibility to escalate security problems when they arise without blaming.

Onboardbase offers a secret usage monitoring feature that allows you to track all secret accesses in real-time. You can also set up alerts to be notified, and use real-time monitoring to notify dev teams when, where, and how secrets are being used. In case of a data breach, you can revoke accesses granularly in an instant using the device management feature that keeps track of all tools, cloud services, and devices connected to a project workspace.

4. Backup your data

Have a backup system that regularly makes encrypted copies of your database and distributes them offsite: if your web infrastructure is compromised, leaving copies in your local disk is a huge risk, even if your encryption keys are strong.

  • Make it part of your devops pipeline - Database dumps only take a single command, so you might as well have an automated task for it as part of your CI/CD pipeline.
  • Don’t forget to encrypt your backups - Backups should never be left unencrypted for obvious reasons.
  • Don’t put all your eggs in the same basket - You should have redundant backups located in different server networks.

Remember: backing up your data is your responsibility, don’t blindly rely on your cloud providers. A lot of things can go wrong and you don’t want to leave it to chance.

5. Include relevant tests

Test-driven development is kind of a meme nowadays, but it’s one of the most cost-efficient ways to protect your startup. 262k websites tested by OWASP showed signs of insecure design that could be avoided with a bit more planning, and 274k websites tested by OWASP were vulnerable to injection attacks―a hacker injects malicious code or commands into a web application by exploiting vulnerabilities in the user interface, whether it’s via form, URL, or API request.

  • **Integrate security requirements into user stories - ** By considering security at the planning stage, you can identify potential vulnerabilities early on and define appropriate tests. For example, make sure to test what happens when a user exceeds a resource consumption threshold like an API rate limit using load testing.
  • Don’t forget server-side input validation - Apply server-side input validation best practices to validate and sanitize user input. This helps prevent injection attacks by filtering out malicious data and ensuring that only valid inputs are processed.
  • Enforce strong type-checking - Implement strong type-checking mechanisms in your codebase to enhance the security of your data logic.

Unit tests, functional tests, and code checks are precious tools―don’t neglect them!

6. Think through your authorization policies

No matter how transparent and laid back you want to be, you can’t apply the same attitude toward professional software development. The stakes are just too high: 318k websites tested by OWASP had at least one critical vulnerability in their access control policies!

Authorization defines who can do what in an app, and broken access control leads to unauthorized data modification. Startups are particularly vulnerable to this as they often have limited resources and lack the expertise to properly implement and manage authorization rights: having a large number of users and stakeholders makes it challenging to ensure each one has the appropriate level of access.

Nobody in your team should have the same access privileges. People work on different things, with different responsibilities, and for different durations. For public-facing areas, use a zero trust architecture whenever applicable. Assume no user or device is trustworthy by default, and continuously verifies all devices and users before granting access to resources.

7. Expect human errors

Stolen credentials are the most common cause of data breaches according to a report by IBM, while taking 327 days to identify on average. Phishing attacks come second with 37% of all cyberattacks. Both are insider threats where employees or contractors leaked sensitive data. These attacks involve tricking employees into divulging sensitive information, such as login credentials, through fraudulent phishing emails, messages, phone calls, and other social engineering attacks.

Humans are always the weakest link when it comes to cybersecurity. In many cases, cyber attacks are successful because of simple human errors that could have been prevented with a little bit of preparation.

For example, Onboardbase provides a range of human-centric features. Our real-time monitoring feature keeps developers informed about how and when their development environment configurations are being used. If any unusual activities are detected, access can be immediately revoked with a simple click, reducing the risk of security breaches. With our device management feature, you can keep track of all devices connected to your project workspace and easily revoke access for compromised devices. Lastly, our codebase secret detection scans your codebases to identify any exposed secret vulnerabilities. If compromised code is found, our system prevents it from being deployed to production, ensuring that client data remains secure at all times.

Additionally, it is important to provide adequate employee training to educate them on security best practices.

8. Get ready for DoS attacks

DDoS (Distributed Denial of Service) attacks increased by 74% in 2022 compared to 2021, making them particularly harmful to web startups. A DoS attack disrupts a web application by overwhelming it with traffic requests to make it unavailable.

Fortunately, protecting yourself from a DoS has never been easier with basic tools like Cloudflare. A CDN service like Cloudflare provides geographically distributed servers to cache and deliver web content closer to end-users, reducing latency and improving overall performance while preventing traffic overloads.

You should also rate limit your web server endpoints by adding a rate limit policy to your reverse proxy configuration to prevent spam requests on critical endpoints, use a load balancer as a reverse proxy to distribute incoming traffic among multiple local web servers, and enable floating IP addresses to quickly reassign resources to different web servers in the event of a security breach.


Security should be seen as an enabler, not an obstacle, to long-term success. Startups, regardless of their size, are vulnerable to cyber attacks leading to costly data breaches and loss of customer trust.

To secure your startup, prioritizing simple things like outsourcing security to cloud providers, securing secrets, monitoring your technology stack, backing up data, implementing relevant tests, defining authorization policies, preparing for human errors, and being ready for DoS attacks can go a long way to reduce your attack surface.

To learn more about startup security and get started on securing your business, subscribe to Onboardbase!

Subscribe to our newsletter

The latest news, articles, features and resources of Onboardbase, sent to your inbox weekly