Security for Early-Stage Startups

Kevin Qiu
February 24, 2021
Three startup founders work on their laptops in a coworking space - SafeBase

Cybersecurity Checklist for Early-Stage Startups

We've created an easy-to-follow security checklist for early-stage startups that want to improve their security posture. Get the insights you need to make your company and product more secure.

You can download a copy of the checklist here.

This checklist was designed for early-stage startups. Many of these tasks can be done for free or require little to no budget for licenses or subscriptions. These best practices can help to reduce your company's overall risk and to keep your data secure. Feel free to use some of these security techniques in your personal life as well.

Note that this checklist is by no means exhaustive and that some of these items may not apply to your company. Rather, use this guide as a starting point for launching your company's internal security program.

IT Security

Account Management

  • Require 2FA on accounts whenever possible
  • Avoid sharing accounts unless it's absolutely necessary
  • Use accounts with elevated privileges only when needed (Ex.root account in AWS)
  • Never create API keys for root accounts
  • Use single sign on using G Suite or Office 365 where applicable
  • Create an onboarding and offboarding checklist for granting access
  • Review account permissions on a regular basis
  • Use a password manager to store all credentials

Endpoint Management

  • Use an endpoint management tool to manage your laptops such as InTune or JAMF
  • Require encryption for all laptops and mobile devices
  • Ensure Windows Defender is active
  • Require a password and disable PIN usage for Windows logins
  • Make it a habit to lock laptops when walking away from them
  • Regularly patch laptops as vendor updates are released
  • Consider doing this during lunch or other less busy times
  • Only use licensed software

Security Awareness

  • Remind users to report any suspected phishing emails
  • Create a formal information security policy and publish it in a central location
  • Include security practices as a part of new hire onboarding

Office Security

  • Create a separate guest wireless network
  • Configure doors to automatically lock after hours, and require the last person to leave to always check
  • Maintain a record of all guests
  • Install cameras to monitor entrances

Contractors

  • Maintain a list of all past and present contractors
  • Disable contractor accounts immediately after their end date

Cloud Security

Perimeter

  • Lock down security groups and restrict public inbound access to port 80 and 443 for website traffic
  • Deploy a free or low cost VPN such as OpenVPN for resource access instead of whitelisting your home/office IP
  • Use an anti-DDoS service like Cloudflare

Monitoring

  • Use Azure Security Center or AWS GuardDuty for basic security monitoring
  • Use an open source tool like Graylog for general logging

Permissions

  • Ensure that more than one person has root account access in the event of an emergency
  • Ensure that file storage in S3 buckets, blob storage, etc. are not publicly accessible
  • Store all secrets in a password vault like Azure Key Vault or Hashicorp Vault
  • Assign permissions based on predefined roles (Ex. developer, marketing user, etc.)

Servers

  • Ensure that server images are patched on a regular basis, including container images
  • Separate your production and non production environments
  • Use encryption for all internal communication
  • Configure security groups to only allow inbound access to necessary ports

Data

  • Don’t used shared accounts for database access
  • Use sanitized or test data in non-production environments
  • Ensure that backups are configured properly and test them on a regular basis
  • Restrict access to PII for users who do not need to view it

External SaaS

  • Ensure that all third party services are configured securely (Ex. 2FA enforcement, private repos by default, etc.)
  • Maintain a record of all third party SaaS tools

Product Security

Developers

  • Keep third party dependencies from npm, pip, etc. up to date
  • Take advantage of GitHub's dependency monitoring alerts
  • Have developers validate user input as much as possible
  • Require peer review for significant feature updates
  • Ensure third party dependencies allow for commercial use
  • Review security related headers and cookie settings
  • Add the following to your website as applicable: Terms of Use, Privacy Policy, Acceptable Use, GDPR and CCPA statements, A banner informing first time visitors about your cookie policy

User Security

  • Enforce password complexity for user passwords
  • Consider adding a 2FA feature for user logins, especially for B2B
  • Use Stripe or Braintree for storing user payment card information
  • Never store card information yourself, other than billing address or last 4 digits
  • Consider conducting an external pen test before launch for applications targeting highly regulated industries such as healthcare or banking

Session security

  • Configure session cookies to expire and require users to enter their passwords after a long hiatus
  • Invalidate all other sessions upon a user logging out
  • Expire password reset links
  • Consider showing a user's last login time at the bottom of the page or in a user profile section
  • Consider publishing a security@ email for users to report possible vulnerabilities in your application

Compliance

Documentation for Customers

  • If your company is B2B, consider creating a customer facing security document outlining your processes and procedures
  • Equip your sales team with this document to offer to prospective customers
  • Consider doing a full SOC 2 or ISO 27001
  • You may be able to skip a separate security questionnaire if this document is detailed enough

PCI

  • If your website accepts payment cards determine which PCI merchant level you are and fill out the appropriate SAQ for your bank
  • Note that simply using Braintree or Stripe does not exclude you from PCI requirements

GDPR & CCPA

  • Have workflows to export and/or delete user data if requested
  • Consult with a lawyer to identify applicability

HIPAA

  • Require user facing employees to use multiple levels of verification when working on customer support cases

Incident Response

  • Consider purchasing cyber liability insurance
  • Create a security incident response plan
  • Have playbooks for typical security related scenarios
  • Proactively ensure that any on call users have proper access in the event of an incident
  • Review and update on a regular basis as the company and product changes
  • Configure alerts for suspicious activity

About SafeBase

SafeBase automates security assessment workflows to help vendors build trust with their customers. Find out more at https://safebase.io or contact us at info@safebase.io.

Begin building your Trust Center today.
Creating your own Trust Center is easy, and getting started is free.