In the tech community, we run into a large number of start-ups trying to be the next-big-thing. Also traveling in these waters are venture capitalists trying to find and fund the next-big-thing. Any venture capitalist who is looking to invest in a tech company should be adding a software code audit to their due diligence, if it is not there already. Here are three reasons why:
- Start-ups don’t worry about security. When start-ups first get going, they are typically operating on a shoe-string budget and the concern is about developing a proof-of-concept and hammering out the details of how your product will look and perform. The development team is focused on adding features and making things easy to use, NOT on ensuring rock-solid security. Spending time on things like checking input bounds to prevent SQL injections and ensuring your database password table is encrypted is just not high on the list. The security risks of a tiny product with no users that may never amount to anything just don’t rank. The problem is, there are countless tales of companies that made it huge and never bothered to go back and button up these security issues. As a VC, you should be aware if they do exist, what your exposure is, and what the cost will be to correct them down the road.
- The embarrassment of a cyber-breach can be hard to recover from. Let’s say your VC investment paid off. The company you funded has been adopting users at an impressive rate. It is gaining publicity and it appears your investment is going to pay off handsomely. Then it happens. The news shifts from raves about the products attributes to news of it being hacked. People start questioning you and wondering how could you allow this. Users leave in droves as their trust is broken. You find out all to well that the adage, “There is no so thing as bad publicity” is dead-wrong. The cost of a cyber-breach is almost always far greater than the cost of preventing it.
- You should have an independent expert validate the veracity of your investment. During the due diligence process of most venture capitalists, numerous outside experts are brought in to assist, such as lawyers and accountants. Just as this is important, it is also important to bring in an expert on the very issue that your new investment hinges on: technology. An information security audit can give you valuable information on the entire structure of the organization and product you are investing in. It may look pretty on the outside, but is the code well written? Are there dangerous security flaws that are extremely expensive to repair? Has the software already been hacked? Bringing in an independent information security expert allows you to validate the underlying technology so you aren’t simply judging a book by its cover.
As you can see from these reasons, it is a good idea for venture capitalist to include the time and cost of a penetration test and source code review into the vetting process. Your investment needs to be more than just a good idea, and having an understanding of the underlying security of the entity you are investing in can prove to be extremely valuable.