Reputation is everything here, especially for a startup. As a startup, you don't have a long history of reliability/security/... - so all depends on users to give you the 'benefit of the doubt' when they start using your app.

If your server gets hacked and your users notice that, your reputation is gone. Once it's gone, it doesn't matter whether your app and your features are the 'next new thing' or not. It doesn't matter whether the security breach was minor or not - people won't trust your app/company anymore.

So, I would consider security to be the top priority.

I agree with Stefan about reputation. You don't want to get hacked because you were lacking on security. Not only will that hurt your site and company, it will look bad on you since you're in charge of that.

My personal opinion is to do as much as you can because no matter how much you do there will be vulnerabilities.

Unfortunately security like testing and documentation are often afterthoughts. You should really make sure to do risk assessments early in your site/software's life and to keep on doing assessments. I think it is important to patch all software for security holes.

These will probably be obvious:

• Limit password attempts.
• Sanitize your database inputs
• Measures to prevent XSS attacks

It's also worth mentioning that, as you said, the network architecture should be set up appropriately. You should definitely have a decent firewall that's locked down as much as possible. Some people recommend putting your systems between dual firewalls of different makes so that in the event one of them has a critical vulnerability, the second will most likely not have the same vulnerability and you'll be safe. It all depends on what you can afford since it's a startup.

If you're explicitly trying to attract the sort of users who are inclined to try to crack systems, then you can pretty well bet that your system will come under attack.

You should suggest to the management that if they're not going to take security seriously, then you should just go ahead and post the company's bank statements and accounting books (in clear text) on the site, with a prominent link from the home page. At least that way, you can tell them, the end result will be about the same, but they're less likely to damage everything else to get what they're looking for.

I'd think that the reputation issue might have a slightly different cast with this audience, too -- they may forgive you for being hacked, but they probably won't forgive you for being an easy target.

My best suggestion is monitoring.

There is no perfect security and it is all about accepting risks and preventing them when necessary. However, if you have no monitoring in place you will have no way to know if something (an attack) has succeeded and how it happened.

So, keep your system updated and install a few lightweight tools to monitor it properly. If you have custom applications, add logging in there. Log on error-generated errors (bad input), failed passwords, or any user-generated error.

As for lightweight tools to monitor, there is quite a few free/open source:

• OSSEC (to look for anomalies, changes and logs)
• modsecurity (web-based monitoring)
• Sucuri (whois/dns/blacklisting monitoring)

Also, don't forget you need to have your server secured from current (that is, soon-to-be-past) employees. Several startups were totally wiped due to employee sabotage, e.g. http://www.geek.com/articles/news/disgruntled-employee-kills-journalspace-with-data-wipe-2009015/