8 common mistakes that startups make in application security


1) Being too closed-minded 

Startups just don't think about startup security. 

The focus is the product, right? The priority is PMF. How can we focus on application security at a time like this? They don’t realize it, but startups are making a choice. 

Do you want to think about application security when your hair's on fire, your leadership team is freaking out, and you’re halfway through an all-nighter or when you’re calmly instrumenting an account creation, login, or payment form? Many seem to choose the former. They don’t have to. 


2) Being too confident

Startups think they can address all future fraud.

Leaders will plan for some of the most obvious ways they’ve been burnt before and think they’ve covered all their bases. The trouble is that they can’t see the cracks in their patchwork of solutions until an attack occurs. This will invariably hurt your runway and decrease your ability to launch your desired features on time. 


3) Being too trusting

Startups have fallen in love with a tool, integrated it deeply, and moved on. 

A single tool (and no other tool) to solve all your problems is tempting. Why bring on multiple vendors if I can just buy one tool that does everything? They seem to check all the boxes. This usually leads startups to integrate this single tool, deeper and deeper into their product. This may seem like you’re securing the future, but you’re actually adding work for when you need to update or adjust. 


4) Being too charitable

Startups will end up paying too much money for an application security product. 

Sales cycles and negotiations are tough. When you aren’t used to negotiating for Trust, Fraud, and Application Security products or you don’t have the right information, you can be led astray. Startups lack the context needed to get the right price and right down-stream ROI for their business. On top of that, long sales cycles can be draining which lead people to sometimes buying impulsively. 


5) Being too disruptive

Startups let security issues sidetrack core product development.

When application security and fraud are not thought about strategically, they can crop up at a moment’s notice. When fraud spike happen, it often triggers an all-hands-on-deck response that derails existing timelines. Context switching and being pulled away from development has a compounding adverse effect on core development time. 


6) Being too shortsighted

Startups don’t have a native Trust, Fraud, and Security strategy for their product.

Fraud falls in similar categories, but every business is different. Fraudsters look at startups holistically and spot cracks to exploit. They are well versed in looking at patchwork solutions and thinking about unique ways to extract value from your unique product or your unique user base. Depending on the product, the line between normal behavior and abuse can get blurry. It is important to bring a unique fraud-fighting mindset to every product to lead to the least disruption down stream. 


7) Not being time sensitive

Startups are spending too much time on application security. 

How can this be bad? We’ve just talked about how companies aren’t spending enough time. Surely, more time is always better. Well as we all know, activity isn’t impact. Time doesn’t mean action. When it comes to building for application security, sometimes build time can be wasted on things that’ll shortly have to be ripped out. When it comes to evaluating tools, the time is spent in sales cycles for non-needle-moving tools can also be a waste. 


8) Not assigning ownership

Startups aren’t assigning a stakeholder to own the process and be accountable for the results. 

Building for an ever-evolving future threat is not an easy undertaking. It takes time; as you grow, it’ll take more time. It’s important to assign a team member to think about the problem holistically and dedicate time into building a comprehensive strategy that is ready to evolve with the world around it. 

If you’re looking for more information on these common mistakes or want some tips in avoiding them, then feel free to chat us or contact us at hello@dodgeballhq.com