July 10, 2026

|

Security Led Product Development? Why Not.

Saqib Tahir
Saqib Tahir

Product Manager, Community Builder, Writer of Words

Biz of Dev is all about discovery led product dev. That's our tagline, our process, our whole thing.

But after walking into an engagement where every product security failure you could imagine had already happened, backdoors in the auth logic, hostile infrastructure lockouts, a former employee billing their side hustle to the founder's credit card, I started wondering if we needed a second tagline.

Security led product development.

Sounds like a joke. Until you see what happens without it.
See, I've been doing this for over a decade. And one pattern keeps showing up.

A founder raises money. Hires an agency. Agency builds the product. Fast, functional, shipped. Everyone's happy.

Then one day the founder discovers the login system has a hardcoded bypass. Anyone with the right string can access any account on the platform. Or the test environment shares a database with production. Every experiment the dev team ran was touching live customer data. Or a former developer still has admin access and has been running their own hosting business on the founder's credit card.

I've seen all of these. Not from a blog post. Firsthand.

And the thing is, it's not because these agencies were evil. It's because product security isn't part of how they work. They ship features. That's what they get paid for.

You, the founder, especially if you're non-technical, don't know what to ask. And by the time you figure it out, the damage is already done.

What It Actually Means

Let me keep this simple.

Product security means the software you're building can't be messed with by people who shouldn't have access. That's it. No CIA stuff. No enterprise jargon.

At the early stage, it's five things.

Your login works the way you think it does. No backdoors. No hardcoded passwords that skip the check. You'd be surprised how often this one gets violated.

The right people have the right access. Not admin-for-everyone because it was easier to set up. And when someone leaves, their access dies that day. Not next week. Not "when we get around to it."

Your test environment and your production environment don't touch each other. A developer testing a feature should never be writing to the database your paying customers use. Sounds obvious. Gets broken constantly.

Passwords and keys aren't sitting in the code. API keys, database credentials, secrets, none of these go in the source code. They go in vaults. They get rotated. They never get pasted into Slack.

You can see what's happening. Who has access. When they used it. What they changed. If something goes wrong, you need to trace it and recover. Without that, you're blind.

None of this requires a security team. None of it requires expensive tools.

It requires someone on the project to care.

The five product security basics for an early-stage MVP: no backdoors, least-privilege access, separated environments, secrets out of the code, and an audit trail.

The Horror Stories That Changed My Mind

I used to think about product security the way most product people do. It's the engineering team's problem. We'll deal with it when we're bigger.

Then I saw what actually happens when nobody deals with it.

A platform processing financial transactions had a password hardcoded into the authentication logic. Every backend API. One string, and you could access any customer's account. No logs. No audit trail. It had been sitting there for years. The founder had no idea.

A founder parted ways with their CTO. Same day, the CTO activated admin privileges, kicked everyone out of the identity system, and set up an automated process that ran weekly to remove anyone who got re-added. The founder's team kept losing access to their own systems. Took weeks to figure out why. This is one of the reasons I tell founders to think twice before giving away equity for a technical co-founder, when the relationship breaks, so does access.

A former team member had been using the founder's hosting account, paid with the founder's actual credit card, to host other people's websites. Running a little reseller operation on someone else's dime. For over a year. When the founder finally recovered the account, the former employee got back in again. Twice.

A pre-production environment was connected to the production database. Every test, every demo, every "let me try something" was writing to live customer data. Nobody knew for months.

All of these happened with professional agencies. Not freelancers. Agencies with teams of 20 to 30 people, multi-year engagements, and serious monthly retainers.

That's what product security looks like when nobody's paying attention.

Why Agencies Skip It

I don't say this to be harsh. I say it because understanding the incentive structure helps you protect yourself.

There's no line item for it. When the agency scoped your project, they estimated features, not strategy. Login screen, dashboard, payment integration. "Make sure nobody can break in through a backdoor" wasn't on the list. It doesn't produce a screen you can click on, so it doesn't make it into the estimate.

Nobody on the team knows how. Most agencies are frontend devs, backend devs, designers, and a PM. Nobody specializes in product security. The skills aren't there and hiring for them doesn't fit the margins.

Speed wins. You want to launch. They want to deliver. Cutting corners on security is the fastest way to compress timelines because the consequences don't show up for months. A hardcoded credential saves ten minutes today and creates a vulnerability that lives for years.

They're gone before problems surface. The agency delivers and moves on. If a security issue shows up later, that's your problem. No contractual obligation. No long-term accountability.

This isn't good agencies versus bad agencies. It's a business model that rewards shipping and doesn't reward securing.

Until you start asking about product security, nobody will.

How a Community Made Me Care

Here's something most people don't know about me.

Outside of Biz of Dev, I run SK NEXUS, a tech publication, and The Wandering Pro, a community. People ask me why. These don't make money. Why not just go all in on the business?

Honest answer: they make me better at what I do. Writing about tech keeps me current. Running a community teaches me how people work, how to build trust, how to grow folks. It's my weird version of networking.

And one of the things that came from all that was getting embedded in the biggest cybersecurity group in Pakistan.

Spending time with people who break systems for a living rewired how I think about building products.

I already knew agencies cut corners. But hearing pen testers and incident responders talk about what they find when they audit agency-built products? Different level. Product security isn't just occasionally missed. It's structurally absent from how most software gets built.

And with AI making it even easier to ship fast? The gap is getting wider.

So I started learning. Not to become a pen tester. I'm a product manager. But to understand what good looks like and what questions to ask.

Then I started offering free pen tests to our existing clients. Not as a service. As a way to flush out the process and see what we were missing.

What we found was enough to make product security a permanent part of every engagement.

What We Do (And What We Don't)

Let me be honest here. No sales pitch.

We have a contracted security professional who comes in at key points during the build. Tests what's been deployed. Flags vulnerabilities. Makes sure the fundamentals are in place. Auth logic reviewed. Access controls audited. Credential management checked. Environment separation verified.

That's it.

I'm not going to tell you your product is "100% secure" if you work with us. Nothing is. Anyone who tells you otherwise is selling something you shouldn't buy.

Enterprise-grade product security, dedicated teams, continuous monitoring, SOC 2, PCI DSS, that's real investment. Significant money. Significant effort.

What we do is get you started on the right foot.

Think of it like a house. The difference between basic product security hygiene and none is the difference between a house with locks and a house with the doors taken off. You can upgrade to a full alarm system later. But you need the doors first.

No hardcoded credentials. Proper environment separation. Access controls that match actual roles. Credential rotation in deployment. An audit trail.

None of this is expensive. None of it slows the build meaningfully.

We're probably the only MVP-focused studio that includes this as standard. Not because it's hard. Because nobody else decided it was worth doing.

"I won't promise you bulletproof product security. I'll promise the basics are done right from day one, so you're not paying to fix them on day 365."

Questions to Ask Your Agency

Whether you work with us or not. Genuinely. Here's what I'd tell any founder friend.

You don't need to understand the technical details. Just ask these and pay attention to the reaction.

"Are any credentials hardcoded in our source code?" The answer needs to be no. Not "we'll clean that up." No. If they hesitate, you have your answer.

"Who has access to production?" You should get a list. Names. Permission levels. If they can't produce this quickly, security isn't on their radar. This ties directly to owning your infrastructure. If you don't control the admin accounts, you don't control who's in your systems.

"Is our test environment separate from production?" If the answer is "we're sharing a database for now," that "for now" will cost you. Product security starts with keeping these worlds apart.

"Does code get reviewed before it hits production?" Someone needs to look at it. That's how you catch backdoors, vulnerabilities, and mistakes. No review process means bad things get in and stay in.

"What happens when someone leaves?" There should be a process. Revoke access. Rotate credentials. Audit what they had. If the answer is "we'll handle it when it happens," that's not a plan. I've seen what "we'll handle it" looks like.

"Can you show me an architecture diagram?" A map of what your product uses, where it's hosted, who owns each account. If your agency can't draw this, they can't secure what they don't understand. This is product discovery applied to infrastructure.

Six product security questions founders should ask their agency, covering hardcoded credentials, production access, environment separation, code review, offboarding, and architecture.

What I Know Now

A while back, I wrote the Biz of Dev about page listing every way I'd seen agencies burn founders. They rush to lock scope. They build on weak foundations. They lock you into proprietary stuff. They don't let you own anything. They take on more than they can chew. They care about building tech, not running your business.

I've watched all of those problems show up in real engagements. All of them. Including product security failures that would make a compliance auditor want to lie down.

And a recent one made me realize I needed to write this.

Because product security can't be Phase 2. Can't be "later." Has to be part of how you build from the start. Not enterprise-grade security for your MVP. Just the basics. The basics that are so consistently skipped that doing the minimum puts you ahead of almost everything out there. Your MVP doesn't need to take six months, but it does need locks on the doors.

Biz of Dev is discovery led. Always will be. But discovery without product security is just organized optimism. You can discover the right thing to build, nail the users, map the market perfectly, and lose it all because someone left a hardcoded password in the login flow.

Discovery tells you what to build. Product security makes sure it stands up when someone tests the locks.

You need both.

With or without my help - I wish you the best.

Frequently Asked Questions

KNOW WHAT TO BUILD. BUILD IT RIGHT.

A quick call to pressure-test your idea before you commit resources.

Knowing what problems exist knowing what to build

Knowing what to build knowing what to build FIRST

Your insights are valuable. Discovery ensures they turn into the right product, not just a product.

That's exactly how we designed this.

After discovery, you get:

  • A buildable plan any dev team can execute
  • No proprietary knowledge locked in our heads
  • Full clarity on what to hire for (if you're hiring)

If you want us to build it, great. If not, we've set you up to succeed with whoever does.

“We're not in the business of trapping clients. We're in the business of making sure you don't waste money - ours or someone else's.”

No. Product discovery is just as critical for scaling products. Markets change, users evolve, and assumptions expire faster than founders expect.

You get clarity across four pillars: Business (what you're solving and how you'll make money), Market (who you're competing against), User (what problems actually matter), and Execution (what to build first and how to validate it). You walk away knowing what to build, what NOT to build, and why - with a plan any team can execute.

CHECK YOUR FIT

Know if Discovery Led Development is right for you in 30 minutes.