Why Builders Need to Care About Security
The attacks that hit real products — and why "I'm too small to be targeted" is wrong
Security breaches are not just a problem for large companies. Automated bots scan the entire internet for vulnerable applications 24 hours a day. A new web app is typically probed within minutes of going live. The attacker does not need to know you exist — they just need your app to be vulnerable.
The threat model for web applications
- Automated scanners: bots probe every IP on the internet for common vulnerabilities — Tools like Shodan index every exposed server. Your login page will be brute-forced within hours of going live.
- Credential stuffing: leaked username/password pairs tested against your login — Billions of credentials from other breaches are tested against new sites automatically. Rate limiting is the defence.
- SQL injection and XSS: the most exploited vulnerabilities in web history — Both are 30+ years old and still account for a significant percentage of successful attacks in 2026.
- Supply chain attacks: malicious packages in your node_modules — A dependency you have not audited can execute arbitrary code on your server or steal data from your users.
Your web app is not a locked house — it is a shop with an open door
A physical shop has a door that is open during business hours. Anyone can walk in. Most people are customers. A few are shoplifters. Web applications are the same: your API is open, your login page is reachable by anyone on the internet. Security is not about locking the door — it is about making sure the shoplifters cannot do anything useful even if they walk in.
The cost of a breach
- Customer data loss: GDPR fines up to 4% of annual turnover — For a startup doing €500k revenue, that is €20,000. For a mid-size company, millions.
- Reputational damage: trust is hard to rebuild — Users who had their data exposed rarely return. A breach at the wrong moment kills a funding round or an acquisition.
- Downtime: attacks can take your product offline — A DDoS attack or a ransomware infection can put your product down for hours or days. For a SaaS, that is direct revenue loss.
- Personal liability: some jurisdictions hold founders and CTOs personally responsible — Especially for negligent handling of health or financial data. Ignorance is not a defence.
The good news
The vast majority of attacks exploit known, preventable vulnerabilities. The OWASP Top 10 — the 10 most common web security risks — is responsible for the majority of successful breaches. Learn to prevent these 10, and you are ahead of most deployed web applications.
Security is mostly about defaults
Prepared statements prevent SQL injection. Encoding output prevents XSS. Strong session management prevents auth attacks. These are not exotic mitigations — they are standard patterns you should be using anyway. You are not adding security as an extra layer; you are just writing code correctly.
Try this
Go to haveibeenpwned.com and enter your personal email address. See how many data breaches have exposed your information. Now consider: if attackers have your email and the password you used on those breached sites, what can they access if you reuse passwords? This is the credential stuffing attack — and it affects your users too unless you have rate limiting and MFA.