Every New Software Service Should Bake Strong Security In From the Start

Lock it down.

On Thursday, Venmo announced that it was adding two-factor authentication to its social mobile payment service. The company promised that it would was working to add this feature in the aftermath of a Slate report calling out the app’s problematic security.

At the time Venmo wrote, “We’re working to be more responsive to your support inquiries. We’ve made significant progress and will continue to improve in this area.” Venmo is a payment app. By definition, it deals with sensitive financial data. Since banks themselves frequently face high-profile hacks, it’s not exactly surprising that Venmo would be a target for scams. But startups are all engaged in the race to be first, and no matter how many breaches happen it seems like every company is just hoping it won’t happen to them.

Larry Dignan, the editor-in-chief of ZDNet, writes, “The software industry and the customers that implement applications rarely think about security first. … Does it strike anyone as odd that we were hit by patches for four major vulnerabilities in 24 hours this week?” Yeah! What about that?! But this passage isn’t current. Dignan wrote it in 2008. And the conversation about how to get software entrepreneurs to prioritize security dates back even farther than that. But the urgency is mounting.

Last week, the popular office chat program Slack announced that it had been hacked over four days in February. Some user data—like encrypted passwords, email addresses, usernames, and even some phone numbers and Skype IDs—was compromised, and the company’s investigation found suspicious activity on a small group of accounts. Along with the announcement of the hack came the debut of two-factor for Slack. “Two Factor Authentication has been in development for the last few months. It is a complicated change,” the company wrote. “We have decided to release it immediately, despite the remaining bits of clunky-ness: the feature works and it does provide a significant new level of protection against unauthorized access to your Slack account.”

The question remains: Why wasn’t two-factor available from the start? A representative for Slack told Slate that the company prioritized implementing single sign-on (SSO), which allows company employees to enter Slack using their broader, office-wide login system, which may have two-factor or other special security features of its own. (Okta and OneLogin are examples of SSO services). But SSO is a premium feature on Slack. You can only access it through the Plus level of $12.50 per month per user or higher. The free and “Standard” ($6.67 per user per month) options don’t include SSO. So it seems like it would have been more secure for Slack to roll out two-factor, which is now available to everyone, first and then turn to SSO.

These types of situations occur over and over. In 2013 and 2014 Snapchat provided an instant-classic example of a product that was not nearly secure enough to have been released. The company failed to patch numerous security flaws discovered by researchers and instead essentially waited for its service to be breached, which it eventually was. Duh.

“If you’re building an app, especially if you’re an early stage company and you’re not properly trained or experienced, you’re just worried about getting adoption and making your app work,” said Marc Boroditsky, the general manager and vice president of authentication for Twilio, which recently acquired the two-factor authentication provider Authy. “And then all of a sudden you wake up and you got attacked. It only becomes a priority once you actually experience the adverse consequences.”

As Slack indicates in its statement above, a big barrier to entry for including strong security from the start is the perception that it’s complicated and takes time. This seems to be an inflection point where companies like Authy are working to create change by offering customizable, but pre-fab two-factor products that are easier to implement. Password managers like 1Password and LastPass have a similar philosophy that the way to make security ubiquitous is to make it easy.

But this has been difficult to achieve in practice. Chris Eng, the vice president of research at Veracode, told Fast Company last year that, “Security is just not top of mind for most developers. It’s not something that has worked its way into a product’s life cycle.”

So will it take everyone having a personal experience with hacking to make security more of a priority for developers? Boroditsky says that the closer a hack hits to home, the more likely it is to have an impact. “Having been in security for more than 20 years, I’ll tell you, the time when we’re getting the most business is when websites and applications and enterprises are getting hacked the most. It’s probably not too different from when people buy insurance right after they’ve had a bad experience.”