While you can read our full guide to startup security, we figured it would be easier to digest and apply the best practices in smaller chunks. So, we broke it up into four parts. This is part three, which focuses on keeping your code secure. If you missed the first two parts, check out part one here and part two here.
Secure Coding: Get It Right the First Time
Ways to Safeguard Your Code
1. “Shift security left”: aka bring security earlier into your application development lifecycle. By shifting left, you not only address security issues early on, but you reduce risk and lower the cost of fixing them.
2. Protect your application from the most common attacks: There’s a lot of great work covering this topic, so we won’t revisit them here. However, we highly recommend OWASP’s Top 10 Application Security Risks as a great starting point for figuring out what to harden.
3. Secrets – Great sometimes, but never in your code: A lot of security awareness courses consist of “common sense” info, but they help with reinforcing and reminding security best practices. Free resources from SANS and the US Federal Trade Commission (FTC) can help you level up security training across your team without breaking the bank.
4. Make your code review a living security process: Remember the power of checklists? Definitely create one for code review to mistake-proof the process. You’ll need checklists as your codebase grows; different areas of the code will require different evaluation steps.
5. Keep a running priority list of security issues: Every engineer on your team should be adding to a master list of security issues. Each issue should be assigned a priority level and due date for resolution based on severity and whether they can be exploited.
6. Conduct internal security tests (complements your external pentests): At least once a quarter, both eng and product teams should get together to look for vulns, e.g., unauthenticated paths, account isolation, and other weak spots in the product. All they need is Chrome (really, any web browser), ZAP (OWASP’s open-source pen testing tool), and curl (open-source command line tool and library to transfer data with URLs).
7. Make security awareness training a part of onboarding: You’re probably thinking, “Man, this is another no-brainer!” (we’d agree with you). However, it’s frighteningly common to assume that all new engineers practice good security hygiene. Having every new hire undergo security awareness training in the first week will ensure that security knowledge and awareness are set at the same standard across your entire team.
And ICYMI, PagerDuty has an excellent open-source security training program you can adapt for your org.
PS: Launch a security program that protects your business, builds trust with customers, and impresses your board by downloading Security Best Practices for Startups.