Till Carlos

Quick Security Tips for Non-Tech Founders - 5 Steps in Minutes

4 min read

thumbnail

I’ve been in the trenches of software development for years, and now I’m building a venture studio with multiple apps. Today, I want to talk about something crucial that often gets overlooked, especially in the early stages of a startup: security for your SaaS product.

Let me tell you, you don’t want to end up like the French-German Interrail folks. They had this grand plan to sell a bunch of tickets, but their server crashed, and they ended up on a website exposing all their security flaws. Yikes! But don’t worry, I’m here to help you avoid that nightmare with some basic, easy-to-implement security measures.

1. Who has server access?

First things first: who has access to your servers? This is what we call the “bus factor” in the industry.

Imagine if the only person who could fix your server got hit by a bus (dark, I know, but stay with me). Could your software survive? How quickly could you transfer control to someone else? It’s crucial to have more than one person with server access, just in case.

2. Authentication and Authorization: Know the Difference

Okay, let’s break this down real quick:

Authentication

This is all about verifying who someone is. When a user logs in with their username and password, that’s authentication. Here are some quick tips:

  • Use strong password policies (but don’t go overboard, or people will just write them down)
  • Implement multi-factor authentication
  • Store passwords securely (salted and hashed, for you tech-savvy folks)

Authorization

Once you know who someone is, authorization determines what they’re allowed to do. As a product manager, you should have a clear overview of these permissions. The simplest approach? Just have admin access for your team and regular access for users.

Pro tip: Follow the principle of least privilege. Only give people the rights they need to do their job, nothing more.

3. App Security Standards: Don’t Reinvent the Wheel

Here’s why I always push for using frameworks like Ruby on Rails or Django: they come with built-in security features. You don’t want to deal with cross-site scripting or SQL injection attacks, trust me.

Ask your developer about the OWASP Top 10 Web Application Security Risks. If they give you a blank stare, maybe it’s time for a chat about security standards.

4. Plan for the Unexpected

I get it, contingency planning sounds boring. But hear me out. Make a simple table:

  • List potential risks
  • Rate their likelihood
  • Jot down a quick plan for each

contingency

It doesn’t have to be fancy, especially for small products. But if you’re expecting your app to blow up (in a good way), it’s worth the effort.

5. Error Tracking: Catch Problems Before Your Users Do

This is huge. You want to know about bugs before your customers start complaining. Ask your developer:

  • What kind of logging do we have?
  • How do we know if there’s an error?
  • Can we get alerts when something goes wrong?

If they don’t have good answers, it might be time to add some error tracking to your backlog.

Remember, Software Is a Liability

Here’s a mind-bender for you: software isn’t an asset, it’s a liability. Why? Because it constantly needs updates and maintenance to stay valuable.

If your app costs $100,000 to develop, budget about $15,000 to $20,000 per year just for maintenance. That keeps your software secure and up-to-date.

The Most Important Thing: Don’t Let Security Paralyze You

Let me be real with you for a second. You can totally over-engineer security. But you know what’s worse than an insecure product? A product that nobody uses because you were too scared to launch.

When I launch a SaaS, I make sure I have the basics covered:

  • Backups (because I’ve learned that lesson the hard way)
  • Standard security features from our framework
  • Simple logging

But I don’t go crazy with it. I focus on making sure the software actually runs and provides value. You can always improve security later.

So, what do you think? Are these measures doable for your startup? Did I miss anything crucial? Drop a comment below and let me know!

Remember, the biggest risk isn’t a security breach – it’s not selling enough. So go out there, build something awesome, keep it reasonably secure, and focus on getting those customers!

Available slides

  1. slides
  2. slides_social
Till Carlos

I'm Till, a senior developer who started a software company. I explain software concepts for people in leading roles.