At VDA Labs we do a variety of technically deep security services for our customers.  From product assessments, copyright infringement cases, custom security research, and more.  In that time, we’ve had some interesting conversations.  One trend we have noticed is worth talking about.

Doing a startup company is hard.  There are so many interesting challenges.  For product companies, making a product that solves a problem and that customers want is hard.  Bringing it to market is hard.  Growing at a proper rate is hard.  So how you spend every penny and minute of time counts.  As such, sometimes early stage product owners will ask their board, “should we do a pentest, code audit, or otherwise invest in security training and secure software development”?  Typically, the answer they get is along the lines of, “well you should write secure software, but NO, don’t spend much there at this time.”  The problem of course is that security doesn’t happen by accident or without investment.

The rational is that, “it is better to make it to market messy than not to make it to market at all.”  I can appreciate that; it is a complex question.  And I don’t want to dismiss the difficulty of the technical and financial choices made along the way.  The problem is, later as the company continues to grow and sell, it’s the customers who are buying that risk.  And unwinding complex technical debt when issues are later found (and they will be, believe me) is often non-trivial.

The speed at which we rush to market is not good for security.  Some argue there is no other way.  For buyers I would suggest a few things:

  1. Talk to your vendors about this. The problem: The sales reps will have no idea about this.  They’re often even being told misleading things about the security of their product.
  2. Look at the CVE’s for a company or product using a site like
  3. If you cannot find any, be concerned. It’s a sure sign the product is either hiding or not finding their bugs.  And again, it’ll be a tricky conversation, because sales/execs are often not even aware of the bugs that the tech team is fixing.

In this day and age, every company has bugs.  The more responsible companies not only admit that, they often perform various types of pentests, bug bounties, etc. to find and fix more.

Take away:

Security is not about perfection.  It’s about risk, honesty, technical investigations, and continuous improvement.  If you have a vendor telling you they have no bugs or security flaws, be concerned.