Let’s say you’re a responsible corporate citizen. You want to retain customers and attract new customers. Maybe you architect applications, maybe you design them, or maybe you code them. If you’ve every brought some aspect of application security — say, you point out it’s a really good idea to disallow cross site scripting (XSS) — I bet you’ve run into opposition like:
- We’re not a bank! We don’t need all that security.
- We’re not a military installation. Why would we waste time and resources on security?
- We don’t have any sensitive information. Why are you trying to slow the development process down with useless security?
We’re not a bank! Why do we need security? Answer: You don’t — if you don’t care about customers!
Those might have been legitimate questions sometime in the past. When, I don’t know, but I’m trying to be charitable here. The point is, those questions are invalid now. Why?
- Money isn’t the only thing malicious actors steal. Personal information, log-on information ( typically an e-mail address), or even just source IP addresses can be useful to them. In other words, if you have an application on the Internet, it’s of interest to malicious actors. How will your existing customers react if your site’s compromised? Will such an event help or hurt future potential customers?
- Sure, securing military installations is critical. But so is securing your installation! Ask doubters this question: if a malicious actor were loose on your servers, what havoc could they wreak? How would your customers react to receiving spam from your compromised servers? Would potential customers be more or less likely to consider you if they know your reputation through spamming?
- Your site may not store personally identifiable information. You might not store financial information. But you store something — or you wouldn’t have an application! How would an existing customer react if they find their data spewed all over the Internet — even if it’s just a record of which cat pictures they looked at? Would you join a website that allowed such shenanigans?
Would you use a site that you can’t trust? Would your customers?
It’s not even accurate to say security isn’t optional. It’s more accurate to say that security is a requirement, just as important as any other business or technical requirement. Not taking security into account means increasing the risk of losing existing customers and decreasing the chance of obtaining new customers.
People who ask questions like the ones above simply don’t understand what they’re asking. We’ll talk about how to deal with them in the next post.