I'm currently in the process of learning the ropes of web security, mostly by using OWASP and various Mozilla resources for reference.
What I noticed in the process is that quite a few of the middle-stage startups, whose SaaS products I use, seem to often roll their own security infrastructure (custom session management etc.), visibly omitting many of the basic guidelines recommended by experts. I'm not even talking about "persistent cookies", which is more often than not a business decision, but things like transmitting PII over HTTP are dime a dozen. Wasn't Facebook serving all of their content over HTTP all the way to 2011? Not to mention all of the sites that store their user passwords in cleartext, when bcrypt libraries are completely ubiquitous.
Now, it's not my place to judge their attitude towards security. I am however extremely interested in the underlying thought process and strategy that led to those choices.
Is the startup philosophy that security is something you deal with once you become a real business and/or someone makes a fuss about it? Is the idea that you simply don't have the bandwidth to deal with anything but advancing the product (more features, most customer development, more sales etc)? Or, are the "security experts" living in their own world where nothing but their immediate concerns is important?
Has anybody's business REALLY ever been hurt by being hacked? If leaking user data once or twice doesn't hurt a business, what incentive do small companies have to get it right the first time?
I'd love to understand this better, thank you.
The best question when we think about investing in security is:
How much an extintor is worth before and after a fire?