When Security counts and when it doesn’t

When should you invest a lot of time and money into security? When should your code be unhackable?

I can already hear some neck beard uber security guy typing out “ALWAYS” and I agree… most of the time.

If your company can lose any significant money, competitive advantage, or it could cause any harm to your customers, I 100% agree that you should invest everything you have into making your code as secure as possible, but what if nothing is on the line?

Last week, I slammed out one of the ugliest MVPs of my life, Game Day Bingo. As an engineer/web application architect, I want everything to be perfect. I want it to painlessly scale up to millions of users, be completely unhackable, so when the bad guys come because my website is so popular, they can’t get free bingo cards from me.

As a lifelong entrepreneur, I know the odds of millions of people showing up at one of my MVPs are about the same as me getting struck by lightning twice in one afternoon.

Getting customers is a slow slog that takes a long time and dedication.

While I am using best practices for payment (luckily, Stripe does a lot of the heavy lifting there) and for users’ personal identifiable information, I did cut one corner that could be used to generate free cards.

I am well aware that the hacker elites out there, or honestly even the script kiddies, could easily generate their own cards.

Heck, for those of you out there who want a Cloud War Games -esque challenge, I suggest you give it a try. DM me your solution if you do.

Why am I willing to cut this corner, you might ask?

Because there are zero consequences if people figure out how to generate more bingo cards. It won’t stop others from generating them, honestly you could replicate it in minutes.

It took me longer to get the thing to render on mobile than it did to build the base randomization engine.

Luckily for me, for the price I am charging for the cards and considering most people interested in this product are not as technical as my audience, I am not worried about this for this MVP. I’ll fix it if it turns out to be a viable business model.

Bottom line:

Know what you potentially stand to lose before you make any significant investments in your tech. If you are a massively established company that depends on every 1 and 0 being perfect 100% make that investment.

If you are a pre-customer startup trying to validate your first purchases, know where to cut corners to get things out there (Not on the payment integration or user info security). Don’t spend a second on details that no one will know or care about.

On the flip side, do you actually know what you stand to lose if someone were to bypass your security? If you don’t, you will want to get on it (Hint: That is part of what I do for a living, so if you need help, ping me).

As for when to invest in security and when to use a little duct tape, let me know your thoughts.