This guide was created to help all startup CTOs (and more broadly, everyone responsible for security in their orgs) build and scale their security programs with the latest best practices. Truth be told, this guide can be applied to any org looking to improve their security efforts. It’s not meant to be exhaustive; however, it serves as a good starting point via the PPT framework.
People, process, and technology (PPT) can be used to help you break down and assess your security approach and architecture at your company. More specifically, you can assess your security practices through the lenses of operational (people and processes) and application and infrastructure (technology).
We’ve organized this guide into four sections covering operational security, application and infrastructure security, how to safeguard your code, and steps you can take to protect your customers and their data.
Section 1 – Operational Security: It’s All About the People and Processes
Foster a Blameless Security Culture
- Not just for airports: See something, say something. Empower everyone to speak up without fear whenever they see or suspect a security issue, even if it looks trivial or if they inadvertently caused a security issue. Mistakes happen, and it’s better to fix them immediately, instead of hiding them.
- Appoint and or hire a “Security Czar”: Have one person be the go-to person for all things security, and ensure they’re empowered to enforce and foster security best practices across the company (exec team support is key).
- Ensure security awareness training (but don’t turn it into a speedrun): A lot of security awareness courses consist of “common sense” info, but they help with reinforcing and reminding security best practices. PagerDuty has solid open-source security training courses if you don’t want to pay for a course.
Extend that Culture to Safeguarding Your Customers’ Data
1. MFA everything: ’nuff said.
2. Encrypt all company-issued laptops and phones: Always do it before new employees start (and save those encryption keys).
3. Use a SSO provider and password manager: They streamline and centralize account management for your employees, and make on/offboarding easy. They also minimize risk even further by ensuring that every user remembers only one set of credentials for logging in. Combine them with MFA to be even more secure. For SSO, you can’t go wrong with providers like Okta and OneLogin. And for password managers, 1Password and Dashlane are solid. Whomever you decide on, always do your due diligence and see 1) which providers have had security incidents and breaches and 2) what their security incident response plans entail.
4. Make locking computers a company-wide habit and game: Sure, it’s hilarious setting a screenshot of your co-worker’s desktop as their wallpaper so they try to open folders from their desktop for two days. But, it’s not a laughing matter when unwelcome outsiders get physical access to an unlocked computer.
Having a Plan is Better than No Plan (esp. When You Get Proverbially Punched in the Face)
1. An efficient incident response plan: Your plan should be optimized for the fastest response, especially for whomever the point person is at the time of a breach / crisis. Keeping it to the three “Who’s” (“Who’s in charge?”, Who do we call?, and “Who can help?”) keeps it simple and actionable for everyone involved (credit to security legend Ryan McGeehan’s playbook).
2. Create an infosec plan and update it every year: Despite Mike Tyson’s famous take on plans, keeping these two things in mind makes scaling your security efforts that much easier:
- Have an internal security policy defining who’s responsible for security and whom they should go to for all things security.
- Create a company scaling event checklist, e.g, when sales team doubles in size in two months, when the company onboards at least two people a month across several departments.
Section 2 – Application and Infrastructure Security: Keep Bad Hombres Out
The Security Basics Checklist
1. HTTPS: By now a given, but you’d be surprised: We almost left this out for fear of coming across as pedantic. But, we’d be remiss if we didn’t at least offer a reminder for encrypting all communications for your customers. If you need a certificate, get a free one from Let’s Encrypt: a non-profit certificate authority that’s provided certs for 200+ million websites.
2. Back up your backups (and make sure they have backups): And if you don’t have something in place, then get S3, Blob Storage, or Cloud Storage from AWS, Azure, and GCP, respectively.
3. Metrics and monitoring aka canaries in the coal mine: Both allow you to quickly drill down to the root cause of any anomalies without having to dig into logs. And in case you needed a refresher, the four golden signals of traffic, latency, saturation, and error are good foundations to understand the health of your system and your customers’ experiences.
4. Do let the logs out (when you need to): We’ll spare you the sermon of why turning to your logs is helpful when needed. At the very least, you should have a log aggregator in order to cross-reference logs from various systems and apps. They’ll come in handy as the real “black box” source of truth.
5. May DDoS attacks never happen to you, but be prepared: Here are some ways to defend against them:
- Diversity and redundancy should already be core parts of your disaster recovery and business continuity plans, but it’s worth checking to see if your servers are located in different data centers and that there are no single failure points.
- Make sure your CDN bandwidth can scale quickly when needed. CDN providers like CloudFront, Akamai, Fastly, and Cloudflare all offer solid protection and coverage regardless of your team’s size.
- Check out the Australian Government’s Cyber Security Centre’s guide on how to prep for and respond to DDoS attacks. It’s one of the few reputable DDoS guides that were updated last year (from what we could find, many guides were published in 2014 and 2016).
Are Your Infrastructure Providers Watching Your Infrastructure?
1. Properly set up and use all built-in security functions: It may seem like chore when setting them up in infra like AWS, but you’d be surprised at how many people leave firewalls off or don’t enable logging.
Here’s the high-level hit list:
- Enable firewalls
- Keep IAM lean and mean
- Make sure your backups have backups (and then more backups)
- Have logging in place (even if it’s the native logging solution like CloudWatch)
- Isolate infrastructure through network boundaries
And check out security best practices from the three big cloud providers (AWS, Azure, and Google Cloud Platform):
Keep Your Product on Your Mind (and Your Mind on Your Product)
1. Know your dependencies backwards and forwards: #9 on the OWASP Top 10 is (you guessed it): “Using Components with Known Vulnerabilities”. And given that apps are always built using third-party libraries, there’s plenty of risk you’ll need to mitigate. You have to always check that they’re up-to-date and not exposed to any vulns (we recommend tasking your team’s “Security Czar” with checking at least once a week).
2. Pentest everything in your environment: Not only do pentests reveal all weaknesses and areas of improvement in your infrastructure and product, but they help you achieve security certs like SOC 2. They can be pricey depending on your scope of work, but they certainly bring you peace of mind and actionable steps for improving your security.
PS: Launch a security program that protects your business, builds trust with customers, and impresses your board by downloading Security Best Practices for Startups.
Section 3 – Secure Coding: Get It Right the First Time
Ways to Safeguard Your Code
1. “Shift security left”: aka bring security earlier into your application development lifecycle. By shifting left, you not only address security issues early on, but you reduce risk and lower the cost of fixing them.
2. Protect your application from the most common attacks: There’s a lot of great work covering this topic, so we won’t revisit them here. However, we highly recommend OWASP’s Top 10 Application Security Risks as a great starting point for figuring out what to harden.
3. Secrets – Great sometimes, but never in your code: A lot of security awareness courses consist of “common sense” info, but they help with reinforcing and reminding security best practices. Free resources from SANS and the US Federal Trade Commission (FTC) can help you level up security training across your team without breaking the bank.
4. Make your code review a living security process: Remember the power of checklists? Definitely create one for code review to mistake-proof the process. You’ll need checklists as your codebase grows; different areas of the code will require different evaluation steps.
5. Keep a running priority list of security issues: Every engineer on your team should be adding to a master list of security issues. Each issue should be assigned a priority level and due date for resolution based on severity and whether they can be exploited.
6. Conduct internal security tests (complements your external pentests): At least once a quarter, both eng and product teams should get together to look for vulns, e.g., unauthenticated paths, account isolation, and other weak spots in the product. All they need is Chrome (really, any web browser), ZAP (OWASP’s open-source pen testing tool), and curl (open-source command line tool and library to transfer data with URLs).
7. Make security awareness training a part of onboarding: You’re probably thinking, “Man, this is another no-brainer!” (we’d agree with you). However, it’s frighteningly common to assume that all new engineers practice good security hygiene. Having every new hire undergo security awareness training in the first week will ensure that security knowledge and awareness are set at the same standard across your entire team.
And ICYMI, PagerDuty has an excellent open-source security training program you can adapt for your org.
Section 4 – Extend Your Security Efforts to Your Customers
“More is More”
1. Have MFA, SSO, and role-based access for all customers: ’nuff said.
2. Make sure customers are using strong passwords: The US Cybersecurity & Infrastructure Security Agency (CISA) has a fantastic trove of best practices on creating, managing, storing, and protecting passwords. One guide in particular outlines thorough and concrete steps to creating strong passwords.
3. Keep customers’ privacy at the forefront of your security efforts: Here are some ways to do so:
- Collect the bare minimum of data you need to help customers achieve success with your product.
- Require customers to give you explicit consent before allowing customer success, support, and sales teams to access their data.
- Train your customers in security awareness and security best practices to help them always keep security in mind.
Take the Mystery and Misery Out of Your Security and Compliance Work
Whether you are a one-person army in a startup or have a well-established security department, everyone can benefit from using technology to automate their InfoSec program. Tugboat Logic was founded with this mission: to take the misery and mystery out of security and compliance for organizations by automating and scaling their security efforts.
The Tugboat Logic Security Assurance Platform is specifically designed to help you manage all aspects of your Information Security program as your needs evolve over time – helping you get secure, prepare for security audits such as SOC 2 & ISO 27001, answer security questionnaires, and evaluate the security of your business partners.