The most important (IMO) paragraph from that page:
> If there is one thing to understand about SOC2 audits, it’s: SOC2 is about documentation, not reality. SOC2 audits are performed by accountants, not pentesters. You’ll tell your audit team what security things you try to do. They’ll call upon the four cardinal directions of ontology in a ceremony of shamanic accountancy. They’ll tell you those security things are just fine. Then they’ll give you a 52,000-line questionnaire called the Information Request List (IRL), based in some occult way on what you told them you’re doing. And you’ll fill it out. You’ll have a few meetings and then write them a check. They’ll put your company name on a report.
First job after college was subbing in for a team doing a SOC2 audit. They sent me in to test AD. I googled AD before the client meeting to learn that it was this thing called Active Directory.
They had really well documented controls and the screenshot of the AD settings they sent me looked great in my report. (Yup - all AD settings in one screenshot).
IMO 1, 5, and 6 are not appropriate for early stage startups (unless you’re making enterprise software). They’re going to slow you down, add unnecessary burn, and just generally not be value adds. You should be focused on making a product that people pay money for, not box checking for a hypothetical SOC2.
I wrote this list, several years ago. I've since had the pleasure of taking a fast-growing startup (Fly.io) through SOC2. (This list was based on my experience consulting with a bunch of large-ish startups while they were SOC2'ing, and interviewing peers).
I would hold fast on #1 (Single Sign-On). Do SSO now. Make it one of the first security things you do. It's worth it on its own merits, and if you do it right, it makes things easier, not harder. My one-two punch for most startups would be Google SSO and Tailscale.
If you're hosting in AWS, you basically have to turn CloudTrail on, which was my #5. It's not slowing you down; you just need the data collecting. You can't deploy on AWS and not have an audit trail; that's bananas.
If I was writing that article over again, I'd strike #6 (MDM). It's fallen out of fashion to do endpoint security in SOC2; you should introduce endpoint security when you have the bandwidth to do it well.
It’s a good list and I’ve referenced it a few times over the years.
I misunderstood your intent on #5.
I still think SSO is inappropriate because it’s going to bump you into enterprise tiers for random products when you need to be the most frugal with your burn. Going with 1Password or similar gets the job done. You 100% need SSO eventually and it does get harder to implement the longer you wait, but I still don’t think it’s worth it early.
I think MDM is still a thing for SOC2, but my point is that most startups will not need a SOC2 immediately and folks should be mindful of what moves the needle security wise vs what auditors want.
We just did a SOC2, and were encouraged not to do endpoint stuff in it. You can ask your auditors to require MDM, but you don't have to, and shouldn't.
You can pick which apps to enroll in SSO; you don't have to pay the sso.tax on everything. Most of the time it's not material anyways.
SSO is really useful, but it does tend to be expensive. There’s a window pre-PMF where money is tight and it’s hard to justify the Enterprise plan on every SaaS you use.
Interesting note about MDM, any idea what contributes to that trend?
You don't have to enable SSO everywhere. There are things we still don't SSO (looking at you, StatusPage) because the price hit is huge and unjustifiable. But I'm less sanguine about not having SSO at all.
I guess I'd add that almost anything goes pre-PMF. I think it's actually pretty reasonable to consciously minimize security engineering spending before you've got a real product locked down.
SSO and MDM are minimal competency areas for anyone professionally managing IT.
Without SSO, you have no idea who has access to services. People come and go, contractors do their thing and take off, etc. You need to know they’re gone. On top of it, it’s so trivial to just use Google Workspace as an SSO it’s ridiculous not to use it.
MDM becomes a thing when you’re a little bigger. Anything with customer data should be managed imo.
I am currently stuggeling setting up centralized logging; just can´t grok it. Logstash? Beats? Elastic Agent? Is ELK-Stack right in 2022? How do I get Logs out of Docker to Logstash? Do I?
Seems I need to get my head around this...
Generally you will find lots of different solutions to make it all work right. None of them are "wrong" or "right", there are 2 pieces to logs:
1) Capturing them
2) Indexing/acting on them
Most tools focus on one or the other, some focus on both.
> Logstash? Beats? Elastic Agent? Is ELK-Stack right in 2022?
Loki and Graylog solve both issues in an integrated way.
logstash, beats and syslog tend to focus only on the 1st part, moving the lots to a central place.
> How do I get Logs out of Docker to Logstash? Do I?
Yes you want the logs from Docker jobs. You can use a sidecar, or you can have the Docker image ship the logs or if you are running k8s, Nomad, etc they might be able to do it for you.
The more important thing is the 1st, getting them all to one host, in pretty much any format. Once you have them there, then you can worry about trying to make sense of them.
If you do I strongly recommend storing the indices with the chunks[0] and configuring a hassle-free, scalable storage solution [1] up front. Migrating chunk storage after the fact is a royal pain. Do also note that the official Helm chart will only get you so far before you have to start horizontally scaling individual components [2]; depending upon your query and log volume you might want to scale these separately and the chart [3] doesn't support this. This GitHub issue [4] has some Kubernetes YAML examples if you need them.
CIS Top 18 Version 8 works sequentially too, so you implement control 1 and it sets you up in a good place to then implement control 2, and so on.
---
Cyber Essentials:
---
The UK's Cyber Essentials scheme is a certification standard (but you can ignore that and just use it as a checklist if you'd like).
It's designed for small to medium size organizations, and focused on getting the foundations right.
This would be a useful place to start but it won't cover some of the specific threats and risks associated with software/app development. See @snowstormsun's comment about OWASP Top 10 for that.
This list is very general (it's about high-level controls, not actual tactics) and is geared towards enterprises, so there are things on it that definitely are not startup best-practices. For example: most startups don't do any serious network monitoring (even if they do operate monitorable networks, which isn't a given).
Giving security advice in a format like this is always a bit weird. You will never catch all interesting bits much less all the edge cases. On top of that Thomas Ptacek is watching your every move.
As already noted, a tailored list for startups doesn't really exist. IMO, there are two approaches when it comes to establishing security in a Startup. You can either go the standard route or the checklist route.
1. Standard route: You hire a consultant, decide on a standard (preferably ISO27k) and go implementing. Costs a lot of money, takes a lot of time/energy, you will be happy about it in the future, if your company is not broke by then.
It's a nice compromise between adherence to the standard and pragmatism.
As a Startup you basically want to protect two things: your IP and availability of your product. The core protection method allows you to specify a very narrow scope that you want to protect and helps you to develop protection requirements.
2. The checklist route: If standards are not your thing, I would advise you to take a look at CISA's "Cyber Essentials" checklist for Small and Midsize Businesses.
If you have 90% of these things implemented - which should be very easy for a startup - you will have a better security posture than 90% of all other companies out there (if not more).
> As a Startup you basically want to protect two things: your IP and availability of your product.
On what basis do you make this claim? I’m working in cyber and see the damage side in large companies. IP is never a thing. It’s mostly service / production availability and, with companies doing business in the US, data breaches (loss of PII).
I agree, IP is very hard to measure. Especially for large corporations it is impossible to monitor if competitors gained access to IP due to an incident. I don't think the measurement portion is too interesting though. If a startup develops one product, or one solution, then that's the one thing your business revolves around. If your competitors can copy your product easily, because your S3 buckets are wide open you may go bankrupt. Cybersecurity is a means to an end. Not all things may lead to you going out of business. Focus on those that could.
If I understand your last point correctly, we seem to agree on the Availability piece.
- MDM for laptops/phones, don't let people use their own devices. The point of MDM isn't to stop people installing their favourite IDE, the point of it is to make sure the device is patched and running latest OS. If you have a VPN (even AWS Client VPN supports this...) tie MDM together with device attestation so only patched machines can connect to your VPN.
- Unified login, for a start up you can use Google workspace or even GitHub as your identity provider (this gets weird if you have non-devs but you can push it for a bit). Don't have more than one account/password for things, you just log into your google account then use OIDC/SAML to auth against internal apps. If you do this you probably don't need VPN. Use this to auth into AWS too.
- Don't share accounts on SaaS services (e.g domain registrar), this will make rotating stuff when someone leaves a nightmare. If a service doesn't support teams or you don't want to pay for the enterprise version then it's OK for the CTO and 1 other person to have their own login.
- Minimise/avoid static credentials for your infra (e.g. web server talking to postgres) prefer to use AWS Instance roles with short lived dynamic credentials.
- Make sure network isolation is set up correctly, your Mongo db shouldn't be listening on the internet
- Use 2fa but make sure it's WebAuthn/FIDO. Issue everyone with 2x security keys. People wipe / screw up their phones/TOTP authenticator apps far too much.
- Centralised logging, make sure your apps can output logs to opensearch/datadog/whatever. Whenever a user performs an action make sure this gets logged.
- Don't let people manage prod infrastructure without using Infrastructure as code tools (CDK/Pulumi/Terraform), best thing would be not to give people prod access and all changes have to go through CI
- Make sure you know your product is down before your users start calling/emailing. Set up healhchecks.io / pingdom whatever.
I would recommend only issuing a single MFA device. If you only issue 1, then the employee is forced to come to IT if/when they lose it to get a new one issued. IT will need to use their admin access to activate the new fob (and deactivate the old one), but at least you're assured that employees aren't losing them without telling anyone.
If you issue 2 you greatly increase the chances of MFA devices going missing without it being reported to IT since people will either A) use one of them and forget they even have the other and not keep track of it or B) lose one and just start using the other one and never bothering to report it to IT so they can invalidate the missing one.
Employees are VERY reluctant to report lost devices, even after being told there are no consequences or costs to them as long as they report it. I've seen employees get buddies to buzz them into the building for weeks before finally admitting to IT that they lost their access badge.
The main complication is if your company relies on outside software that doesn't have provisions for administrator oversight. For example, if you're using Google Apps, any admin can go in and replace a missing MFA device for an employee, but this isn't possible if you're using some other platforms (especially the free tiers).
MDM for laptops? No thanks. It's a world of security theatre - the main purpose of which seems to be to stop me doing my job. Also it invariably means Windows.
MDM doesn't have to be a heavy-handed thing and solutions exist for macOS at least. Even something that just makes sure the OS and critical apps always have the latest security patches - and ideally pushes those changes when it’s not disruptive to the host – can go a long way.
From what I can remember when I set this up last all our MDM did was:
- Ensure full disk encryption
- Time limit on how long people can defer OS upgrades
- Report on software installed and versions
- Enforce somewhat complex password
- Enforce password after screen has become locked
- Allow us to remote wipe the machine if lost/stolen
It didn't stop you from installing / uninstalling anything - even itself. Although if your machine stopped phoning home for a certain amount of time we had some alerts set up for the IT support team to follow up.
unfortunately yes - I was in charge of this decision as a previous employer and I went with Macs+JAMF even though I'm a die hard Linux user. My work around was to run a fullscreen Linux VM but that does defeat the purpose somewhat.
I'm hoping things are better now - I think Canonical have some sort of MDM for Ubuntu but I couldn't figure out how to pay for it.
Others mention important things but go nowhere near as far as they should. I can list dozens of high level things you should have on that list, but I think the most important decision is at what point will you hire a dedicated career-security person? The earlier the better.
You can have protected branches, pubkey auth everywhere with yubikeys and macs everywhere it all helps reduce noise but security architecture ensures there are no cracks in your defenses. These checklist solutions can do more harm than good by leaving you with the impression that you have a better security-posture and risk appettite than you actually do leading you to make catastrophic decisions.
IT/OPs/Engineering folks who know enough security to be dangerous would say things like "but _____ defensive measure is there,that wouldn't work" or "if they got past all this then we have bigger issues anyways" and be dangerously wrong.
2FA with yubi? Cookie theft is now popular. SSH pubkey on a mac? Commodity multiplatform stealers in Rust and Golang of course are a thing and they include stealing private keys and sensitive files as a feature. MDM doesn't protect you against malware and SSO while still should be implemented makes cookie theft one working attack away from pwning all things the user has access to. Boring old things like segmentation, (good)logging and proactive monitoring (probably MSP for you at the start) are still top of the "list" and despite what pop-security personalities have you believe, not only do you need AV but you need a cross-platform good EDR as soon as possible as well as corporate VPNs and while gsuite is popular with startups, O365 has better security and DLP.
I could go on but my point is you at least need a consultant at the begining and have a solid plan on when you will hire a proper security pro to architect things and make all the devs and engineers do things they disagree with passionately leading some to even leave lol.
O365 and DLP are absolutely not startup best practices. Almost nobody uses either.
As I've noted elsewhere on the thread, the norm among startups is to make a first security hire somewhere between engineer #20 and #40. Pentesters usually get brought in after PMF, sometime around the "first version" of the product the startup settles on.
"Almost nobody uses either." I am very aware, I noted that in my comment. Are you saying O365 and AIP are inferior than gsuite, if so I would like to hear why, I don't favor either I just haven't seen why. DLP is absolutley a foundational security practice, especially for a startup because they usually have some "secret sauce" and all it takes is one employee leaking that and most people that leak/sell-out just print or take the document with them, a starup maybe drowning in VC money but it all comes down crashing the moment you someone else does it better.
As far as the security hire and pentesters, I don't particulary mind the norm so long as you made that decision and planned on it from the start.
Also on O365, if you're a mac shop I still say it's better but for windows shops (as rare as that is at a startup) you must use AAD and it solves a lot of problems out of the box when you marry it with O365 and you don't have to worry about google banning you on a whim and crashing your business. I am all for best practices but those are different than monkey-see-moneky-do copying without critically reasoning and defining why that decision is best.
DLP is not a foundational security practice. It's a product category and little else. I've spent a good chunk of time in my career working on DLP[1], mostly at large enterprises (the only place this gets seriously deployed), and I've never seen it do anything useful. I can count on zero fingers the number of startups that buy and operate these tools.
In the entire history of startups, no startup has ever outcompeted another based on DLP.
Startups overwhelmingly use Google. I'm not interested in arguing with you about how startups should use Windows, or Active Directory; it's just not relevant. The question was asked "what's the checklist for startups", not "what's the checklist for AON".
Again you mention the number of startups that do something, how is that relevant without reasoning why that is good?
I don't know the entire history of startups or for that matter DLP more than you do but mistakes and sabotage happen at any commercial entity and this is not an easy problem to solve at large enterprises as you probably know even more than myself, but as a startup you can define data classification and handling policies early on and a DLP is just a tool to help you enforce that and by DLP I don't mean a firewall but MS Information Protection in this case. You control how secret and sensitive information is shared and stored. You use it to build a solid culture of secure data handling. It becomes more costly and difficult as you grow larger and you avoid costly mistakes and sabotage because you have a good handle on where your data is and how it flows.
My point wasn't that startup should implement MSIP/DLP and O365 but that a checklist on HN and copycatting is not the best way. Get a consultant to help you get things straight based on your specific business goals/needs (maybe you will cash out in 5 years and just don't care so get gsuite and take the risk). There is no generic one size fits all checklist where if you do those things that means your random startup's security is going in the right direction.
If you're fintech or work with government contracts you really do need MSIP or the equivalent, if you're selling a new cool database product that is FOSS maybe you're like a decade away from even considering it. My post was anti-checklist mainly. If you care about security let a pro help you plan it according to your needs instead if checking a few boxes and hoping that was enough.
And startups do get hacked and get their data stolen although most won't advertise it to the public.
I am not beyond convincing, but I need a reason other than "it's not done this way", I don't doubt that or your experience but I have to question when my technical reason is met with "nobody does that" bigcorp or startup everyone has different needs and they should secure the data important to their business in a way that they can afford and as such a reductive checklist approach is bad and you have not made an argument otherwise so I suppose I will agree to disagree.
I understand. On a thread like this, where someone is asking directly what the set of things startups do for security as best practices, my priority is just ensuring that the thread generates an accurate answer to the question. Maybe some other thread will happen where we can debate whether AON (for example) does security more effectively than Square.
We don't need a debate you just need to provide a technical reason other than you opinion on how popular something is. As far as I am concerned you are providing incorrect information based on what is popular and promoting one-size-fits-all security planning. You picked one product and made it into a debate about it because it deviated with what you saw as popular vs what bigcorp uses.
If you do proper 2FA, always change the default credentials (including dev/test/temporary systems!) and test the recovery of your backups you're probably above the median already. Logging turned on, and preferably centralized is also low-hanging fruit.
For an early stage startup I feel that some unnecessary risks are caused by the lack of separation of privileges because a few people do have the rights to do everything. I'd recommend having your key people keep a separate account for privileged actions so that you're not reading your email with an account that has the access to the keys of the kingdom, that you're not doing stuff on your cloud provider with a user account that has the privileges to accidentally delete everything. Have the superuser accounts on all the third-party systems be something that you use rarely, make a limited account for your daily work.
Don't bother with VPN's if you're SaaS-based. Just take the zero-trust route with mandatory MFA everywhere, invest in Yubikeys for all employees and set up a SIEM box to ingress audit logs from your various systems.
Setting up an Elastic box for this should be relatively straightforward. For many people it's easier to keep SIEM locally hosted (pulling data, no external access) and then periodically push encrypted backups offsite).
You'll probably end up setting up business metrics monitoring from this eventually too, at least in the early days before you start the "data lake" approach.
This is not a comprehensive checklist per se, but a minimum set of security controls to implement to help secure your AWS account and workloads running on AWS within your account.
I do not know of a go-to checklist but as I work in the industry, I hope I can provide some tips from experience.
Any service that is needed for the day-to-day working of your business should be properly secured. You mention DNSSEC but it starts with the user accounts that are used to log in to your registrar, hosting provider, payment provider, any SaaS...
Generate unique, strong passwords for every business related service. Use a password vault like keepass or a service like 1password for secure storage and ease of use.
Multi-factor everything you can, and prefer to use an app or physical token over SMS-based multifactor. I have recommended Twilio Authy a lot due to the multi-device support and google authenticator compatibility.
Use DNSSEC for your domain(s), enable SPF, DKIM and DMARC for your mail, set up TLS for your website(s). Depending your needs, cloudflare has some great options for the latter.
Security of the endpoints and endusers greatly depends on wether your employees BYOD, what the network looks like and most of all, what you are protecting.
I recommend to search for some public "acceptable use policy" or "security policy" documents, especially in the context of ISO27001 and create an own policy based on that, depending on your needs and environment. Even better than policy is proper training for employees on security hygiene, how to avoid phishing and if relevant, secure development. Ceate an open environment for employees to report potential issues or mistakes.
Regarding secure development, OWASP is a great resource for anything application security.
You're recommending this startup do DNSSEC. Can you rattle off some pre-acquisition startups of any note that have DNSSEC-signed their domains? Slack, for instance, is DNSSEC-signed (signing infamously took them off the Internet for the better part of a day) --- because Salesforce, their acquirer, required it; they did the same to Heroku (which also suffered a DNS outage).
My point is not so much to litigate DNSSEC itself (although I'll do that) as it is to establish the ground truth that DNSSEC-signing is not a norm among tech companies. It would be a particularly weird bit of ops overhead for a young startup to invest in.
If you'd like some tips on how to quickly test whether a startup (or a large list of them) have signed their domains, I'm happy to help.
It might not be the norm, my recommendation here was based on the OP mentioning it themselves, on experience with smaller companies and from my own experience working for a TLD (consider me biased)
Norms change and from my perspective there is still a big ongoing effort to push DNSSEC adoption worldwide.
I'm curious to know why you'd argue against DNSSEC and what your experiences are with operational overhead.
If you like, substitute "best practice" for "norm". The point I'm making is that almost nobody does DNSSEC, including but not limited to the startups with the best-regarded security teams. I'm wary of pointing the "security teams" part out because it leaves the impression that maybe companies without security teams do normally turn DNSSEC on, but that's not the case: almost nobody turns DNSSEC on. It doesn't solve real problems, and it creates a bunch of new problems.
Again, a good way to rebut this would be to present examples of established startups that have DNSSEC-signed their domains. For instance: you could take the top startups list from YC (it's on the front page, and you can pull the domains out easily in the Chrome console) and then check all of them to see if they're signed.
A bunch of them are! About 8%. But that's because a bunch of them are not in North America, and European registrars in particular automatically DNSSEC-sign new zones. But take a wild guess about Stripe (huge security team). Or Instacart. Or Cruise. Or Brex (banking!). Or Reddit. Or Gusto. Zapier. Segment. Vanta (the YC standard for SOC2, FWIW).
To the extent "no DNSSEC" is a norm, and not a best practice (it is both), that norm is unlikely to change; I think DNSSEC adoption is likely to decline (as it has in some previous years). It just doesn't work.
Your startup should absolutely not be doing DNSSEC; virtually nobody does this, most especially at successful startups with security teams. This is a good example of why a good checklist like this would be useful; I wish I had one to offer.
By just looking at the vast variety of answers in this thread, I think we have a telltale sign of the magnitude of the problem, and the state of denial in which society has evolved.
Whether a startup, a small company or a large corporation, there is at least one IT security standard in each developed country, if not an international standard (e.g., ISO27002 , NIST cybersecurity, etc.). Their role is exactly what they are called for: they tell whoever owns an IT system what should be done to protect it.
Unless you're an academic doing research, or you have personally reached the limits of a standard in your organization, there is no reason to look elsewhere.
Pull the standard from your country, or pull the ISO27002, and start working on your spreadsheet and assigning tasks :)
Let me share my (unpopular) opinion: whatever minimum mandated by the applicable laws, and nothing else. If you are not a bank, and don't have EU customers, it could as well be an empty checklist. If you need anything more, you are not a startup. Well, if you disagree, let me add one item to your checklist: know when to stop expanding it.
Rationale: I have seen enough organizations with the checklist-based approach to security. In all of them, it had nothing to do with actual security, but with convincing customers that the organization is safe to deal with - even if it is in fact false. People responsible for filling in such questionnaires often had an outdated vision of the practices of the company.
Also, once you allow any checklist in, or hire any so-called cybersecurity expert who is actually a checkbox-ticking expert, you will be under constant pressure to strengthen this "security posture" more and more, way beyond reasonable. Hypothetical example: this expert decides that you have to comply with Cyber Essentials, and one of the requirements is to install, on each laptop and desktop, an antivirus that can live-check all of the web pages loaded in browsers. But no such desktop-ready thing exists for Linux, and this expert will tell you to stop using Linux on desktops, thus leading to mass-resignation of developers. While the proper solution would have been "don't deal with the UK government".
Require disk encryption and screen lock.
Deploy SSO everywhere you can.
Provide a password manager.
No passwords in slack. If they show up they have to be rotated immediately.
Create a simple security policy (and password policy) to let people know expectations.
Create an onboarding and off boarding checklist.
Create a BYOD policy (if people choose to have work coms on their phone)
Require phone password, encryption and find my device.
Prohibit password reuse.
Buy people yubikes if they want em.
Encourage 2fa
Rotate credentials at most annually.
Create a culture of blameless postmortems so people feel comfortable raising concerns early.
Set up your cloud accounts with SSO.
Secure your CI/CD system. It usually has the keys to the castle.
Deploy or enable cred-scan, dep-scan, sast-scan in CI/CD
Don’t allow public items in S3 buckets unless the bucket is explicitly public.
If you're building a product, consider using capability based security.[1]
A capability is an access token to a resource, and NOT a user account. Think of it as a $10 bill. If you pull a $10 capability from your wallet, you can't lose $1000 by accident, no matter how badly things go.
Flickr makes it possible to give out a guest pass for photos, for example.[2] The nice thing about a guest pass is you can revoke it at any time.
1. Create a security policy — decide what does/doesn't matter
2. Train employees on security — just do the basic stuff, but all the time (strong passwords, 2FA)
3. Implement security measures — for what matters, take security very seriously
4. Use single sign-on — whether it's Google SSO/Okta/etc, you'll thank yourself later
5. Grant access on-demand — people generally don't need permanent access to sensitive systems, set up groups and grant people time-bounded roles
I'm an independent consultant that can help guide infrastructure and devops decisions in early stage start ups. I've spent a lot of time in highly regulated industries. Feel free to reach out with any questions. contact at pallissard dot net.
I am sorry, but if you need someone else to provide you with a list like that, you should NOT be doing this. It is the wrong approach on so many levels.
Maybe I should clarify why. I am a full stack engineer and I am familiar with the basic AppSec stuff you need to launch a service at a FAANG company. However I am not familiar with the basic IT Security stuff you should setup when forming a new company. When I was researching what I should setup for IT security the documentation began referencing things like DMARC, DNSSEC, DKIM etc. and I realized I don’t know what is the basic level of security I should setup.
So I just want to know what is the basic security stuff an early stage company should setup before hiring their first security engineer. The answer to this question can’t be “you should NOT be doing this” because you should still need security even before your first security hire or before you can afford a security consultant.
this stage security program needs to make technical security decisions that have large risk management payoffs versus the effort involved. You also have to understand the accepted risks are huge, and you have to focus on risks that span infra, the enterprise, endpoints, and GRC. A narrow technical focus won’t help much.
Outside of basic netsec for your app and “corporate network” (creatively defined for a remote startup), it’s worth focusing on decisions that do initial security hygiene that long term really helps but is hard to fix retroactively, and once in place it’s easier to build the exotic controls on top of. You should also not forget basic GRC capabilities, as a bulk of the “doing security” tasks can easily turn into passing vendor audits and RFPs because sales is big for a startup, so having a bank of security policies complete way ahead of time and knowing the way around frameworks like CIS or NIST CSF will save you a lot of work during a sales-stress period.
So, in practice, I think getting these done early naturally leads to good decisions and a decent security program to start.
- corporate IT:
> seriously, make a large and vocal push to get off of personal computers and on to work laptops. Its worth burning some of your security capital for. All of the follow-on work you’ll do for security, to include sales support for the startup (so, you can tie this decision to revenue) gets undermined security-technically and passing audit-ally via work on personal computers.
> password manager, or can get by for a while with in-browser password managers vs LastPass
> secrets management: very early on, get a firm handle where the passwords/keys to production and service accounts are, store them in a shareable way (AWS secrets manager or shared LastPass), and don’t budge on this. They will too easily (and probably will anyway) end up all over developer computers and note apps. Eventually one will leak this way. By having a work computer, easier to guarantee safety around this loose secrets manager. By having them stored how I said, easy to find and rotate when they leak.
> have 2Fa/MFA setup by default from the get go. Don’t make compromises on this
> MDM/EDR: start trying to move towards this, but work computers are worth getting deployed prior to pushing for MDM. MDM or anti-virus or preferable EDR will show up as a requirement very soon via sales or audits. EDR can be surprisingly cheap for a small fleet of computers, so I’d look there and skip AV and table MDM. Also, these tools will generate alerts, so you’ll have to have a process in place to respond to the alerts.
- Developer productivity
> get the enterprise GitHub hardened very early on - know where the audit logs are, turn on alerts that GH has for free for compromised dependencies, and have a plan for API keys ending up in GH, yours or personal ones accidentally pushed to. Both will happen.
> get a handle on what IDE extensions are installed, and have a firm line on what is not safe to install, and get a senior eng leader to verify and support this decision. Stuff like a random extension to connect and quickly test a prod DB via your IDE suddenly leads to a random malicious extension having your prod DB secrets and connection string. It’s not worth pursuing white/blacklists really, but it’s worth getting a list of really unsafe library types to use and make sure everyone knows why.
- AWS
> heavily support any impulse in the company to use IaC - cloudformation, terrsrorm, etc. this will get a lot of secure-by-default capabilities in place.
> turn on guardduty across all accounts and start watching. I’d stay away from securityhub as it generates a lot of noise and it’s not worth knowing about until you have the means to fix it and other stuff is taken care of in this list.
> build your cloud accounts under an AWS Organization or equivalent. If accounts start under an Org, it’s much easier to build and enforce blanket configs/tooling across all of them, which is needed for security.
- incident response
> build a shell plan for handling incidents. It’ll help everyone, to include non-security incidents like prod crashing. It’ll also save your butt in a security incident. What matters in them is good documentation and good processes, because if/when a security incident happens, being able to answer what you did and why/when is key as all that data surfaces to legal and/or media comms eventually.
- compliance/GRC:
> try to get a sales RFP or vendor audit doc and look what they ask for in security evals. Your sales team may totally be BS’ing these answers currently, forewarning. Figure out what’s asked, prepare those documents.
- further ideas
> where do I find someone to do this: Finding sec eng to take all this on could be hard. This is like a CISO in a box with a fraction or none of the usual funding and headcount. You could then hire a non-technical security lead, but that could turn into an advice/doom machine who isn’t helping fix tech. Sec eng or VP security, either way the salaries are high - $145k base and way up. A sec analyst, who is cheaper, won’t help at this point. So, my advice is pay up for a sec eng who is strong on infra, or pair a security-conscious IT and/or a security conscious devops/infra lead with a comp sci-ish college student with a cloud cert looking to break into security engineering. They’ll get their break, you’ll get someone who knows tech/security but won’t cost a ton and will take a job like this to get the resume bullet (security engineering is hard to break into), and you’ll have someone watching all this and a strong IT and infra eng to help guide them.
> I want a framework to follow still: CIS benchmark or better NIST cybersecurity framework. I’d go for the latter. Focusing on CIS or similar can lead to a narrow IT security focus that doesn’t help with actually building a security program, which is what the startup needs.
Edit - other advice ITT like
leveraging SSO/Gsuite heavily and IAM roles over secrets are really sound.
There are a lot of good things mentioned already, to extend on that:
* Vulnerability management: Our customers (I do pentests) sometimes only have a vague idea what IT assets they have and what firmware/software version these are running. Think an Excel list maintained by some random person from accounting, because "IT knows it all and after all all servers&switches are in the network plan". That way you get an out-dated QNAP NAS hosting backups (easy target for ransomware), or an IPMI nobody uses with IPMI-over-LAN enabled & a weak password (trivial to hack). So get a good idea what hardware you have, and what firmware/software is running on that. Whatever you use for that, make sure to get notified about new CVEs and general updates. I can not recommend a specific solution, the only thing I was demoed until now was something by Tenable; that was pretty nice but it's probably out of "startup budget". Worst case you can always run OpenVAS to scan your intranet.
* Apply the principle of least necessary privilege: If a dev gets pwned, an attacker should not be able to steal all your internal data, only the portion that specific dev needed for their work.
* If you really have no idea, push for a CISO (and the budget for the CISO to fulfill their role).
* You can hire a pentesting company to check your IT (usually this is recommended to be done regularly, e.g. twice a year).
* You can also hire people to assist you with creating a ISO27001-compliant security policy; not sure if that makes sense for a startup, except maybe if you really have no idea what you're doing IT security wise. But then you should get help anyway.
* 2FA with FIDO/U2F/Yubikeys or similar hardware tokens (no need to get the expensive Yubikeys if generic FIDO/U2F do the job as well)
* No BYOD
* Only IT admins need admin/root privileges on their machines.
* If you're using Active Directory: At least use the "legacy AD tier model", or take a look at the https://docs.microsoft.com/en-us/security/compass/privileged... -- if you're going to go the simple route (giving IT admins one account for their daily work, which also has domain admin privileges) lateral movement on your IT becomes much easier
* Use a password manager; we use the enterprise version of 1Password. If that's out of budget, take a look at vaultwarden (self-hosted bitwarden), which is FOSS; I'm happy with that at home.
* I wouldn't have mentioned it, as I don't think it's imperative to have. But since major players had such problems with roll out after their startup phase, I'd take away the opposite lesson of what some people recommend: It might be a good idea to implement DNSSEC early on, while it's easier to integrate and doesn't cause too much trouble.
* HTTPS with proper certs for everything. Might be difficult in an intranet: In my lab network I'm running a SmallStep CA with a NameConstraint for 'foobar.tld' (so that can only be used to sign certs for my domain; if it is hacked, an attacker can not produce a cert for google.com that I'd accept). I've setup ACME on that CA, so all my PCs can just do internal HTTP challenges to get/renew certs (DHCP clients are on '$clientname.dhcp.foobar.tld', so they can't spoof e.g. 'vaultwarden.foobar.tld'). However most companies I've seen run a AD-based PKI and use other mechanisms for cert roll out. My variant is still about as safe as Let's Encrypt (as long as the CA VM isn't breached).
* If you're running Active Directory (which you want to do in case you're on Windows), harden the crap out of it. We usually point our customers to German checklists, but I bet there are also good English language ones.
* Network segmentation (VLANs) with firewalls between the segments. Only whitelist what's needed; this applies to all segments. I have once reached our "mark" because while they properly firewalled the client VLAN, some VMs (which are intended to be accessible to most users) resided in the server VLAN, which in turn allowed every connection to everywhere - including our "mark", as well as other highly critical stuff (think: people die if that's pwned).
* Facilitate free/open tools, e.g. OpenVAS or Bloodhound. Re OpenVAS: At our company, we run Nessus internally (we had an extra, unused license due to a project; else our CISO would probably just use OpenVAS) and this helped a lot with finding potential security issues.
* Foster a culture of IT security: Don't blame the victim for falling for a phishing attack, blame the company for not doing better anti-phishing training. Similarly, devs make mistakes, but you want them to be open about it, not punish them for it.
If you really have no idea, push for a CISO (and the budget for the CISO to fulfill their role).
There's no hard-and-fast rule for this but the sense I get from doing this work is that the startup industry norm is to make a first security hire somewhere between engineer #20 and #40. That hire is usually not a CISO: your first security hire needs to be a hands-on-keyboard person, and CISOs are not that. "Senior Security Engineer" is probably the modal first security hire at startups, followed by "Director of Security" (for startups that expect to hire security person #2 within 6-9 months of #1).
A decent general rule might be "if you have to ask, you shouldn't be hiring a CISO".
* You can hire a pentesting company to check your IT (usually this is recommended to be done regularly, e.g. twice a year).
The industry standard here is software/prodsec pentests done once a year or on major releases, whichever interval is longer. Figure a serious software pentest is going to cost $25k-35k for a typical SAAS product.
You can get network pentests done; they're much cheaper than software pentests. I probably wouldn't do them annually.
* A CISO designs and staffs the whole security practice.
* A CISO is management-team and, especially, customer-facing.
* A CISO's reports tend to be managers, not IC's.
* A CISO often reports to the CEO, the CFO (if they own risk), and, sometimes, to the board.
* A CISO will tend to own multiple security sub-practices: product security, IT security, abuse, sometimes risk.
* A Dir/Sec tends to report to engineering management.
* A Dir/Sec is occasionally customer-facing, but it's not most of the job.
* A Dir/Sec will tend not to own things like abuse and risk.
* A Dir/Sec will usually, when first hired, do IC-level work on prodsec and IT security.
* A Dir/Sec's reports are usually ICs.
A pretty normal progression might be:
1. Hire a Sr Sec Eng
2. Hire another Sr Sec Eng
3. Hire a Dir/Sec
4. Hire a bunch of Sec Eng (build out an ops team, a product security team, and a team for IT stuff)
5. Promote the Dir/Sec to VP/Sec and hire managers for the teams.
6. Get real big.
7. Promote or hire a CISO (the CISO hire is often an opportunity to bring a marquee resume into the company to impress the market).
I think the thing to remember about startups is that even startups with traction rarely have the headcount slots to get past (2) or (3) on that list until they have lots of engineers; I don't have numbers to back this up but my guess is that the median startup with a 3+ person security team has over 100 employees.
So, if you're talking about your first security hire, as a young startup, it's hard to make a CISO make sense. You might call your first security hire "the CISO", but I'd say willingness to be called a "CISO" at a startup when you have low-single-digit reports is probably a mild red flag for that person.
It may be an idiosyncrasy of mine to call the title "Dir/Sec"; "Dir/Sec" is the fluffiest title I think an experienced security person would be comfortable taking in a young startup. But you could also call that person a "Security Manager" or a "Security Lead"; some of this also depends on how flat your org is.
Ah, that's a better choice then. If they have no idea about security, both opsec and product, they should get someone who can help them get better (or take the risk and take no systematic approach to security). You're right, full CISO role is a bit too much, but someone who takes care about security and might have some internal power to say "don't do that insecure stuff". Security Manager sounds good.
(Ah, well, obviously I have no idea about startups ;))
That is specifically written for startups that may have to do SOC2 compliance in the future. But it is a useful starting point for most people.