Index ¦ Atom

Startup security

Smart decisions in the early stages...

So you're an early-ish stage startup, thinking you need to be doing something about security, but not sure what?

Honestly, there are other folks that you should listen to more than me:

  • Starting Up Security is a seriously excellent information & sanity source for anyone working startup security. Many enterprise security teams could also significantly improve performance by adopting pieces of this. Ryan McGeehan (@magoo) knows his stuff.

  • Latacora is a team of smart security people (check out their blog) who offer to "join your engineering team virtually and run security, for about a year [then] help you hire someone full-time to replace us." Worth considering as an option.

  • David Cowan at Bessemer Venture Partners wrote The Affordable Ten-Step Plan for Survival in Cyberspace, which is a worthwhile read.

Speaking from my own experience:

  • Understand your own threat model, and make decisions according to that model. Keep it realistic and tackle the higher-likelihood / higher-impact risks sooner than later. If you're in need of scenarios to consider, @badthingsdaily is a good follow (also from Ryan mentioned above).

  • Don't try to do all the things. Look at security "best practices", provider guidance, and relevant regulation/standards, and create a single set of security requirements to build against (enterprises might call this a "unified control framework" or somesuch). Do what you can to limit scope, such as using a payment provider rather than taking on PCI compliance yourself.

  • The things that you do try to do, try to automate. Security tests automatically executed & enforced within the CI/CD toolchain, preventing merge/deploy of vulnerable or otherwise-bad code/config, are a good thing! Infrastructure-as-code (Terraform and equivalents) is also good, as it allows establishment of a security baseline across an environment and then tracking of change & identification of variance from that baseline.

  • Visibility is huge.. you need oversight of what components are deployed within your environment and how those components are operating. Focus on using functionality from your existing providers before you start bringing in other external vendors with security-specific solutions. For example, check out CloudTrail and GuardDuty from AWS. Open source solutions such as osquery are also worth considering.

  • Your first security-focused hire probably should not be a self-identifying Chief Security Officer. Look for that security-oriented engineering unicorn with ability to go hands-on across the breadth of your space while empowering other engineers in your organization... they're tough to find though.

Security is important, and needs to be a priority, but don't let it distract you from more important business goals.

© Jamie Finnigan; opinions my own and not my employers. Built using Pelican. Modified from theme by Giulio Fidente on github.