Take security seriously while you're small and no one is likely to exploit you
Using a static analysis tool that scans for vulnerabilities is a great help for this.
Similar to performance and testing, you might not consider security very important in the beginning. However, it’s more productive to take care of it while you’re developing it.
Security is a more obvious pitfall than performance. Counterintuitively though, it’s often taken less seriously.
I was aware of the importance of security testing because of my consulting experience. We had a security review step that I used in Supplybunny as well. Fortunately, I didn’t have to learn a lesson about the importance of security through experience.
There are two ways to take care of security.
First, development must consider security a priority and do things correctly the first time. That means following best practices such as not allowing iterating over IDs, properly checking for authentication, not falling prey to simple exploits such as JS injection, CSRF, or SQL injection. These are all crucial development skills.
Secondly, periodically audit your code. Most libraries have a static analysis tool that audits code for security. For Rails, Brakeman is great. I’d periodically run it first to find the most dangerous vulnerabilities. If there were any, I’d immediately fix them. Then I’d run the lesser severity ones and put them in the following technical debt session.
Example of Brakeman output:
Suggest an improvement to this page (firstname.lastname@example.org)