Security Controls for Startups
Version 1.5
This micro-website contains a list of controls that can be rolled out to establish a security program at a startup.
For an explanation of the content of the table below, please refer to "Building a Security Program" on CloudSecDocs.
| # | Function | Domain | Control | Description | Suggested Tools | Status | Priority | Maturity | Metric |
|---|---|---|---|---|---|---|---|---|---|
| 1 | ProdSec | Application Security | Adopt and deploy a Secure Development Lifecycle | Establish a Secure Software Development Lifecycle (S-SDLC) which incorporates security and privacy. Discuss: - Decide on Engineering quality standards (with ENG) - Decide on Secret storage (with ENG) - Add security engineering to the product development workspaces - Build into a strong culture of strict code review - Get involved in design reviews - Trigger audits on high risk code for extra review | NOT STARTED | 0 | |||
| 2 | ProdSec | Application Security | Learn, and follow, basic application security guidelines | OWASP, SANS, and others provide industry-standard guidance on the most common application security issues with specific cheat sheets. | NOT STARTED | 0 | |||
| 3 | ProdSec | Application Security | Review existing Product | Figure out critical security bits, auth flows, etc. | NOT STARTED | 0 | |||
| 4 | ProdSec | Application Security | Secrets: Use a Secret Management tool | Don't store secrets in code | AWS KMS, AWS Secrets Manager, Hashicorp Vault | NOT STARTED | 0 | ||
| 5 | ProdSec | Application Security | Secrets: Prevent Secrets from being stored in code | Add pre-commit hooks to prevent secrets from being stored in code | pre-commit, gitleaks | NOT STARTED | 0 | ||
| 6 | ProdSec | Application Security | Secrets: Review storage of secrets | Review the crypto around your storage of passwords Review how many people have access to private keys and certificates | pre-commit, gitleaks | NOT STARTED | 0 | ||
| 7 | ProdSec | Application Security | Perform security assessments as part of product development | New and existing features should be tested for security vulnerabilities, both at the application level and the infrastructure supporting the feature. | NOT STARTED | 0 | |||
| 8 | ProdSec | Application Security | Encrypt data in transit and at rest | Traffic encryption: TLS, mTLS, IPSec. A good resource to verify external facing TLS level security configuration and settings are optimized is SSL Labs. Strive for an A/A+ rating on the SSL Labs test report. Any data repositories which have sensitive data should be encrypted by default. Better yet, consider using a cloud provider for storing sensitive data and do not store any sensitive consumer information - e.g., tokenization services. When storing sensitive data, consider encrypting the data repository; at a minimum, use the built-in encryption offered by many cloud providers; preferably, implement column or row-level encryption. | SSL Labs for network encryption | NOT STARTED | 0 | ||
| 9 | ProdSec | Application Security | Only use up-to-date and trusted third-party components | GitHub provides third party dependency vulnerability alerting for common languages. This should be enabled to ensure that code contributors to specific repos are aware of the security vulnerabilities in third party dependencies. | GitHub dependency checker, Maven, SonarQube, Contrast Security, Snyk, etc. | NOT STARTED | 0 | ||
| 10 | ProdSec | Application Security | Run applications as unprivileged users. | NOT STARTED | 0 | ||||
| 11 | ProdSec | Application Security | Implement the Application Security Roadmap | See OWASP SAMM | OWASP SAMM | NOT STARTED | 0 | ||
| 12 | ProdSec | Application Security | Perform basic AppSec training | Build a security “boot camp” for engineering onboarding: - Invest quality time in new engineers and inform them on security sensitive areas of the codebase (Auth, DB, Sessions, Crypto, etc) - Calibrate code review expectations to the same high standard others will expect - Introduce them to security minded folks and make it OK to reach out for help, and show them where security questions can go - Teach, in detail, the tools and tactics your relevant attackers would use against your product | Developing Secure Software | NOT STARTED | 0 | ||
| 13 | ProdSec | Infrastructure Security | Use CI/CD to deploy infrastructure in a predictable manner | Build predictable deployment methods with the ability to roll back quickly in case of a change. | GitHub, GitLab | NOT STARTED | 0 | ||
| 14 | ProdSec | Infrastructure Security | Implement cloud fundamentals | Secrets management, IAM, root user, API Keys, configuration. | NOT STARTED | 0 | |||
| 15 | ProdSec | Infrastructure Security | Adopt best practices from cloud provider reference architectures | Following such standards will help ensure fundamentally strong designs from a security, quality, and reliability perspective. | NOT STARTED | 0 | |||
| 16 | ProdSec | Infrastructure Security | Harden IAM | Focus on authorization, “need to know” and least access. | NOT STARTED | 0 | |||
| 17 | ProdSec | Infrastructure Security | Leverage your cloud provider's built-in configuration security scanner | Cloud providers offer built-in services that can identify insecure configurations such as exposed resources. For example, AWS Trusted Advisor is a solution for automatically checking cloud infrastructure configurations against established benchmarks such as Center for Internet Security (CIS). Set up alerting and regularly review reports for insecure configurations. Address findings on a timely basis based on severity. | AWS Trusted Advisor | NOT STARTED | 0 | ||
| 18 | ProdSec | Infrastructure Security | Define a patch management process | Your operating systems, kernels, applications, libraries and other dependencies all need to be updated. | NOT STARTED | 0 | |||
| 19 | ProdSec | Infrastructure Security | Automate patching | Build patch automation within continuous integration. | NOT STARTED | 0 | |||
| 20 | ProdSec | Infrastructure Security | Regularly scan for vulnerabilities | Regularly schedule vulnerability scanning, with success measured around reduced known vulnerabilities and low windows of exposure between patches. | Nessus, Rapid7 | NOT STARTED | 0 | ||
| 21 | ProdSec | Infrastructure Security | Run external vulnerability scans | To test for exposures in the publicly-facing systems and environments | NOT STARTED | 0 | |||
| 22 | ProdSec | Infrastructure Security | Use VPNs or Zero Trust to manage remote access | VPNs, and now beyondcorp and Zero Trust, are the standard solution for managing remote access to corporate systems. Avoid administering your production servers from the public Internet. | Wireguard VPN, SSH bastion hosts, Cloudflare Access | NOT STARTED | 0 | ||
| 23 | ProdSec | Infrastructure Security | Implement the Cloud Security Roadmap | See On Establishing a Cloud Security Program | Cloud Security Roadmap | NOT STARTED | 0 | ||
| 24 | ProdSec | Resiliency | Protect against distributed denial of service (DDoS) attacks | Distributed denial of service attempts can disrupt or slow down operations, leaving assets paralized. | Fastly, Akamai, Cloudflare | NOT STARTED | 0 | ||
| 25 | ProdSec | Resiliency | Define availability requirements (e.g., Maximum Tolerable Downtime, Recovery Point Objective), and identify and implement necessary solutions to meet these needs | Assess disaster risk and recovery options in order to establish a disaster recovery plan. Where possible, test your plan to ensure that the business can resume operation following a disaster event. Focus on critical assets, avoid single point of failure. | NOT STARTED | 0 | |||
| 26 | ProdSec | Resiliency | Ensure you can recover your data and systems in case of disruptions | At a minimum, backup your data and your code on a regular basis. The ability to delete backups should involve a multi-step process, ideally involving multiple individuals. If backups are not warranted -e.g., immutable infrastructure or infrastructure-as-code in the environment, ensure you define recovery processes/steps and try to recover, at least once, using the steps you've defined. | If using a cloud backup solution, leverage existing capabilities - e.g., S3 in AWS, RDS snapshots, etc. | NOT STARTED | 0 | ||
| 27 | ProdSec | Resiliency | Create non-production environments that mimic production (development and/or staging) | As the company pushes new releases, feature related patches, hotfixes, security patches etc. it is imperative to maintain a non-production environment where both functionality related and security-related updates can be tested before pushed to production. | NOT STARTED | 0 | |||
| 28 | IR | Logging | Collect and store logs in a centralized location | Push system and application logs somewhere centralized and in a separate risk area from the rest of your infrastructure. Ensure that SSH logs and any internal tools you've built log here. Make these log stores trivially accessible to an incident responder who is working as fast as they can. | NOT STARTED | 0 | |||
| 29 | IR | Logging | Decide on critical logs that are critical for investigations | Make a list of logs to be ingested, from Product, Infrastructure, Corporate devices, 3rd party SaaS, etc. | NOT STARTED | 0 | |||
| 30 | IR | Logging | Enable audit trails and logging whenever technically feasible | Improve log coverage especially in administrative tooling. | NOT STARTED | 0 | |||
| 31 | IR | Logging | Decide/Build/Buy an ingestion strategy | Decide on how to get logs from all the places you need them. This could be a combination of open source tools, cloud services, and commercial products. | NOT STARTED | 0 | |||
| 32 | IR | Monitoring | Get notified of security vulnerabilities | Keep an eye on Google alerts, Full-Disclosure, and various vulnerability feeds like the National Vulnerability Database for software you've deployed | NOT STARTED | 0 | |||
| 33 | IR | Monitoring | Design procedure/playbooks for important investigations | Design procedures for common incidents like: 'I think my laptop is compromised', 'I think my AWS account is compromised', 'I think my email is compromised', 'I think my phone is compromised' | NOT STARTED | 0 | |||
| 34 | IR | Monitoring | Decide on alerting and detection strategy | Decide on what you want to be alerted on, and how you want to be alerted. Recruit and select on-call rotation Buy/Build on-call incident platforms Build detection/alerting for three risk areas | NOT STARTED | 0 | |||
| 35 | IR | Alerting | Alert on log ingestion failure | Make sure alerting happens when logs stop flowing. | NOT STARTED | 0 | |||
| 36 | IR | Alerting | Alert on unauthorized access | Build basic alerting that would tip off engineers when systems are accessed without permission | NOT STARTED | 0 | |||
| 37 | IR | Alerting | Alert on root usage | Root usage should be treated as an extreme anomaly with heavy alerting | NOT STARTED | 0 | |||
| 38 | IR | Alerting | Alert on high-risk actions on high-value accounts | Build detection for high-risk actions on high-value accounts, and account deletion/account transfers. | NOT STARTED | 0 | |||
| 39 | IR | Response | Create an incident response plan | Create a plan for how to respond to incidents. This should include a list of who to contact, how to contact them, and what to do in the event of an incident. In addition: - Create rolodex for external IR partners - Select and train internal IR partners - Set up internal communications for compromised scenarios | Magoo Incident Response Plan | NOT STARTED | 0 | ||
| 40 | IR | Response | Treating every security bug as an incident | - Treat every security bug as an incident, document it for posterity and push the lessons onward to new and current engineers - Enforce mandatory postmortem of security bugs for leadership, like you would with an outage | NOT STARTED | 0 | |||
| 41 | IR | Response | Plan Tabletop Exercises | Ensure you reserve time for tabletop exercises to test your incident response plan. | Example scenarios for an organization | NOT STARTED | 0 | ||
| 42 | CorpSec | Identity and Access Management | Deploy/Use a password manager for all employees | Deploy a Password Management tool to all employees. Get a business version that offers: credential sharing, audit trails, SSO, and other features essential for enterprises. | KeyPass, 1Password, Dashlane, BitWarden, LastPass | NOT STARTED | 1 | 0 | |
| 43 | CorpSec | Identity and Access Management | Setup SSO | Create a rollout plan for company-wide SSO Systems like Okta, Meldium, Bitium, all help centrally manage credentials for the disparate cloud applications your employees will use. They will also help enforce uniqueness, multifactor, and termination scenarios. | Okta | NOT STARTED | 1 | 0 | |
| 44 | CorpSec | Identity and Access Management | Enable multi-factor authentication (MFA) | Enable MFA and use a Yubikey. | Azure MFA, Okta MFA, Yubikey, Google Authenticator | NOT STARTED | 0 | ||
| 45 | CorpSec | Identity and Access Management | Don't share accounts | For attribution purposes and to enforce proper access management and off-boarding procedures it is important that accounts are not shared amongst organizational users. Lock down root usage to better reflect the activity of individuals on systems. | NOT STARTED | 0 | |||
| 46 | CorpSec | Identity and Access Management | Change default password(s) in any technology solution and/or services before use. | Default passwords should be changed before use. It is recommended to include this step as part of production readiness checklists and deployment processes. | LAPS (Windows), endpoint management/protection solutions, vulnerability scanners (Qualys, Rapid7, Tenable, etc.) | NOT STARTED | 0 | ||
| 47 | CorpSec | Identity and Access Management | Enable user authentication through federation or 3rd party authentication services whenever technically feasible/practical; If not feasible, use a salted hash for password authentication in internally developed applications. | For enterprise services and applications, federation of authentication (and authorization) is a security, compliance, and user-experience must-do. Federate authentication whenever possible and consider (hard) whether the premium charged by some vendors for SAML/SSO is worth it. At a minimum, critical services and applications should leverage SSO. With regards to internally developed applications, meant for internal use, consider implementing OpenID Connect (OIDC) or SAML for user authentication/authorization. Moreover, building various security features in authentication services (such as lockout mechanism, password strength, and MFA) requires specialized developer expertise and significant time commitments which might not be available. If developing an application or service for consumers, ensure you build federation capabilities - most tools, particularly enterprise, should support OIDC and/or SAML out of the box. | Okta, OneLogin, Google Auth, OAuth, OpenID Connect, ssoready | NOT STARTED | 0 | ||
| 48 | CorpSec | Identity and Access Management | Follow a need-to-know basis permission approach (not everyone should access all systems/not everyone should be an admin); keep the number of admins/privileged users to a minimum. | All access to data should be role based on a need-to-know basis. Privileged access should be limited to a small set of users to ensure proper control over sensitive data and critical systems. | NOT STARTED | 0 | |||
| 49 | CorpSec | Device Security | Build an asset inventory | Start employing tools like osquery to understand what is being installed across your corporate fleet. Discover, estimate volume, and retrospective unmanaged hosts. | OSQuery | NOT STARTED | 0 | ||
| 50 | CorpSec | Device Security | Enable a password protected screen lock after inactivity/timeout | To prevent unauthorized access to laptops, servers, and mobile devices, require passwords or passcodes after a reasonable period of inactivity. | AirWatch, JAMF (Mac), Active Directory GPOs, Office365 (E1 plans & higher), GSuite MDM | NOT STARTED | 0 | ||
| 51 | CorpSec | Device Security | Encrypt laptop hard disk drive (HDD). | Improve HDD encryption coverage past `N%` | FileVault for Mac OS, BitLocker for Windows | NOT STARTED | 0 | ||
| 52 | CorpSec | Device Security | Turn on automatic updates for operating systems and applications that support the functionality | Ensure automatic patches are enabled on all endpoints. | NOT STARTED | 0 | |||
| 53 | CorpSec | Device Security | Install an endpoint protection solution (EDR) | Install an endpoint protection solution which monitors system activities in real time and prevents/blocks exploits and malware. | Windows Defender, MalwareBytes, Sophos, CarbonBlack, SentinelOne | NOT STARTED | 0 | ||
| 54 | CorpSec | Device Security | Automatically provision laptops | Build laptops with configurations pre-imaged, or managed via a centralized system like Chef. | NOT STARTED | 0 | |||
| 55 | GRC | Governance | Lay groundwork for future risk management efforts | - Create a risk register - Interview `n` organization partners and model top risks - Decide on future periodicity of re-assessments - Update “priority risk” documentation - Represent risk priorities in planning meetings | NOT STARTED | 0 | |||
| 56 | GRC | Governance | Create and maintain an inventory of services, assets, and data | Keep an up-to-date inventory of services with service owners identified, and an up-to-date asset inventory. This helps keep licensing and costs in check, and avoids waste. | Casper JAMF for Mac asset management; Better Cloud for SaaS service asset management, Atlassian Insight, Blissfully | NOT STARTED | 0 | ||
| 57 | GRC | Governance | Establish system / environment owners and a process to control access to information, systems, and data | Assign owners to systems and environments who can be responsible for controlling access to the assets. Especially where access to confidential data / systems is involved, having an owner review the access request prior to approval will enforce good access practices and drive accountability of decisions (e.g. ownership assigned as tags in AWS assets). | NOT STARTED | 0 | |||
| 58 | GRC | Governance | Define and implement a data retention plan | Ideally, the plan should automatically dispose of data when no longer necessary | NOT STARTED | 0 | |||
| 59 | GRC | Governance | Follow a process for securely disposing documents and equipment. | Leverage publicly available processes and secure disposal services where possible | NOT STARTED | 0 | |||
| 60 | GRC | Governance | Create a change of roles process within the company, especially for permissions management (remove unnecessary permissions). | As new employees get onboarded and teams grow, there will be several employees who will shift roles and take on new responsibilities. Set up a process so as to continue providing employee access to assets based on "need-to-know" principles, preventing overly permissive privileges. | NOT STARTED | 0 | |||
| 61 | GRC | Governance | Create a security alias | Such that internal AND external users/individuals can contact/report security matters. Create `#security` aliases across chat, email, and tasks Launch a propaganda campaign to evangelize the `#security` alias | NOT STARTED | 0 | |||
| 62 | GRC | Governance | GDPR and current laws | Make sure you comply with all of the relevant laws | NOT STARTED | 0 | |||
| 63 | GRC | Governance | Collect the minimum information necessary and store it for the minimal time needed. Minimize data stores with sensitive data. | Minimize the impact of a security incident by limiting the locations where sensitive data is stored. Delete sensitive data as soon as it is no longer needed for business purposes. | NOT STARTED | 0 | |||
| 64 | GRC | Assurance | Have public facing security docs | Something you can put on your website with technical details about the security things you've done that people can reference | NOT STARTED | 0 | |||
| 65 | GRC | Assurance | Establish a Knowledge Base | Twofold: 1. Education:Build a place for security questions to go (a mailing list, IRC channel, chat room, Google Group, etc.). Integrate the history of severe security bugs from version control, bug bounty, and auditor findings into education 2. Self-service: a place where sales can get info to fill out security questionnaires, and where customers can get info to do their own audits | NOT STARTED | 0 | |||
| 66 | GRC | Assurance | Have a third-party perform an authorized penetration test | Potential customers are likely to ask for a full or redacted version of the resulting pentest report, so ask for internal and customer-facing versions of the report. | NOT STARTED | 0 | |||
| 67 | GRC | Assurance | Build vulnerability management standards | Establish a process for vulnerability management, including scanning, patching, and reporting. Set up a policy that protects security researchers when they disclose vulnerabilities to you, and reward them when they discover security issues with your products | NOT STARTED | 0 | |||
| 68 | GRC | Assurance | Track vulnerabilities and security issues in a ticketing system | Track security bugs like any other bug using existing bug tracking system, assign priority based on risk levels, and assign ownership for remediation. For incidents or critical issues, Root Cause Analysis (RCA) process should be conducted to incorporate learning behavior on security issues. | NOT STARTED | 0 | |||
| 69 | GRC | Assurance | Lay groundwork for finding and fixing | - Spend `N` days on vulnerability finding. Fix all critical issues - Spend `n` days vulnerability finding - Write up vulnerabilities for policy discussions - Decide on SLA's / Criticality with IT and Engineering -Create a central location for known vulnerabilities and associated tasks | NOT STARTED | 0 | |||
| 70 | GRC | Assurance | Be ready to return and destroy customer data | Before accepting customer data, be prepared to return a copy and then destroy data provided or related to a specific customer on termination of business relationship or request. You should also be prepared to certify to the customer that this process was completed. | NOT STARTED | 0 | |||
| 71 | GRC | Employees | Define on-boarding and off-boarding of users | A checklist-based user access provisioning, access termination and user access review processes are key to making sure that only authorized users have access to company information systems. Build and test termination and theft runbooks | NOT STARTED | 0 | |||
| 72 | GRC | Employees | Perform periodic permissions and privileged access review. | Review user permissions periodically (look for accounts that needed to be terminated as well as excess permissions). Depending on the criticality of data at hand and requirements from customers / compliance regulations, this review should be performed quarterly. | NOT STARTED | 0 | |||
| 73 | GRC | Employees | Perform basic phishing training | Understand and train employees about spear phishing. | Infosec Institute, sudo.pagerduty.com | NOT STARTED | 0 | ||
| 74 | GRC | Employees | Perform basic security, privacy and compliance awareness and training | All employees must be made aware of basic security and privacy obligations, including but not limited to things like locking screens, encrypting equipment, passcode on cell phones, keeping OS updated on devices, installing anti-virus, physical security of laptops, mobile phones, using strong passwords. | Infosec Institute, sudo.pagerduty.com | NOT STARTED | 0 | ||
| 75 | GRC | Employees | Put in place confidentiality and security obligations and enforce terms and conditions with employees and contractors | In absence of extensive policy documents, at the minimum the employees and contractors should acknowledge that they are aware of and agree to the confidentiality and security obligations around handling data, systems, equipment, and information. This officially signed / acknowledged statement (with an 'I agree' checkbox) is extremely important in cases of litigations. | NOT STARTED | 0 | |||
| 76 | GRC | VendorSec | Standardize on services employed and create a list of approved vendors | To help stay in control of information assets, ensure services are standardized and all procurement is done via a central resource. Create a list of approved vendors and services, and ensure that all services are procured through this list. | Dropbox, Box, Salesforce | NOT STARTED | 0 | ||
| 77 | GRC | VendorSec | Onboard 3rd party SaaS services onto SSO | Choose/Demo/Deploy SSO and MFA Vendor. | NOT STARTED | 0 | |||
| 78 | GRC | VendorSec | Establish a Vendor Security Assessment process where you implement security best practices of third-party providers used while assessing the risk these services could impose to your company | Track vendors and ensure that critical vendors meet or exceed your safeguards, for example self-assess using these guidelines. Assess third party providers from content delivery networks to SaaS middleware to archival and data analysis tools, ensure your controls encompass your entire attack surface: - Identify key suppliers and supply chain services - Ensure 'key' includes not only up time requirements but also customer data risk - Ensure supplier best-practices are used to deliver your functionality - Ensure supplier notifies you of new vulnerabilities and depredation of security practices or service levels - Ensure you have assigned a responsible team member to act upon these imperatives - Add vulnerability and incident disclosure guidelines to high-risk contracts - Add penetration testing language exceptions to all contracts | NOT STARTED | 0 | |||
| 79 | GRC | VendorSec | Track and remove Shadow IT | Estimate number of Shadow IT applications being used. Migrate auth towards it. Build and deploy Shadow IT detection. Migrate auth towards it. Scan expenses and corporate credit cards for shadow IT vendors. | NOT STARTED | 0 |