Corporate vs. Product Security in Startups

When corporations search for an information security specialist most of the time their goal is to find someone who can keep their organization secure. He need to be able to protect the company’s secrets and resources. If this person takes over the Chief Information Security Officer (CISO) role then his main task is to write, maintain and control the Information security concept and the security guidelines of the whole company or a division within a larger corporation. If the person is recruited as cybersecurity specialist within the (local) IT department, then he or she might be actually implementing the security concept, is writing working instructions with checklists and writes inventory registers, configuration documents and security reports.

What both have in common is the focus on the company’s secrets and resources. This can include access restrictions and authorization mechanisms for the building and the IT, backups of company data and so on. In the Lean Startup Security Guide the role for these tasks is called Corporate Security Responsible.

On operational level some organizations split the security tasks in physical (facility) security and network (IT) security groups, but their goals are still the same: Securing the corporate’s secrets and resources. [1]

But for many companies there is also a need for an additional security team, the product security team. Those companies produce a product or operate a service and have a need to make their product or service secure. Most of the employees who focus on product security are simply part of the engineering teams. In some cases they have even different job titles and descriptions like “security engineer” or “security tester” and are involved each step during the software development life cycle (analysis & specification, design, implementation, testing, integration and maintenance). In many other cases this security engineering tasks are a little bit overlooked and are only thought about when the first issues from the production environment are reported. In the Lean Startup Security Guide the role for these tasks is called Product Security Responsible.

 

Relation to Startups

Because Software and Internet startups directly deliver software or they offer software as a service to their customers, they need to deal with corporate security and product security.

Ideally the product security team is separated from the corporate security team, since they operate in different environments and on different tasks. Therefore they also need different kinds of skills. While for product security it is necessary to have software development skills, for corporate security it is important to have knowledge on networks, off the shelf appliances and their configuration ( [1], chapter 2.2). Separation can also be important, because of the prioritization of tasks. What is more important: updating a flaw in the server configuration or updating a flaw in a company’s product? ( [1], chapter 2.1)

This separation in product and corporate security teams can also be the implemented in small software companies. Example: One of the software developers is responsible for product security and the system administrator (if there is one) is responsible for corporate security tasks. Both are steered and have to report to the CTO.

For startups which offer Internet services (e.g.: web shops, social media platforms, apps with constant server communication or software as a service products) it is a little bit more difficult to differentiate, since

  • the company’s secrets, like the customers and all the information about them and the source code of the software are part of the product and stored on servers which can be directly accessed through the Internet.
  • many startups use cloud services (Infrastructure or platform as a Service product from Amazon, Google, Microsoft, etc.) and they do not even have their own infrastructure.
  • the backend software which is written in Java, PHP, Ruby, Python, JavaScript, etc., might have interfaces to other off the shelf server software like the database, ERP or SAP systems, server monitoring software and other tools.
  • often either the system administrator or a developer is also responsible for DevOps (= a clipped compound of development and operations) tasks and software deployment is automated in many cases. So it might be the case that a developer (and not an administrator) is installing and configuring server software, like the web server software or tools to index and query databases.

 

Therefore the borders blur a little bit. A hacker can get access to sensitive company data through misconfiguration or exploits in off the shelf server software, but he or she can also get access through misconfiguration or exploits in the backend software which is developed by the company. For such companies it is advisable to build a joint corporate and product security team, since many of the tasks and skills overlap.

Nevertheless, especially in those cases it’s important to have clear responsibilities, rules and guidelines. If a developer is configuring off the shelf server software, then he or she also needs to have expertise in doing so, or the whole task needs to be reviewed by someone who has the knowledge.

Because this is a very important organizational topic, there is an own safeguard on “Corporate vs. product security” in the Lean Startup Security Guide.

 

[1] P. Watson, “Corporate vs. Product Security,” May 2013. [Online]. Available: https://www.sans.org/reading-room/whitepapers/bestprac/corporate-vs-product-security-34237. [Accessed 19 06 2016]