You are a startup. How Should You Do Security?

You are a startup. You have limited time, limited money, limited dev hours, limited admin hours. I get it, I’m running one too. So, what are some of the things startup could do to significantly increase the security posture?

1. Two Factor everything.
As a startup, you probably are using a lot of cloud services and SaaS products. Email, version manager, web hosting, social media accounts, blogs, password manager and many such services are either SaaS or cloud based. Two Factor enable these services and force all your employees and contractors to two factor enable too.
Password alone is no longer enough. You need Two Factor Authentication. If there is a service that does not support two factor, it is time to think if they deserve your money.

2. HTTPS everything.

There aren’t too many excuses left to not support HTTPS. Be it SaaS products, RESTful APIs, admin dashboards or help/support sites. HTTPS should become the norm. Diligently redirect every HTTP request to HTTPS. While you are at it, support Perfect Forward Secrecy too. Test your HTTPS site with this tool: https://www.ssllabs.com/ssltest/

3. Encrypt Sensitive Data.
If you are storing sensitive data about users, encrypt the data in your databases. Go beyond just hashing the password. Remember, this is very important. (Shameless plug: check us out. Our encryption-as-a-service can be very useful for individual developers and startups.)

4. Pen Test your site/app.
Good pen testers are pricey. But they are so worth it. While automated tools can pick out low hanging vulnerabilities, nothing beats a well trained human thinking like an attacker. (DM us at @SecureDB if you need recommendations.)

5. Code review everything.
After every sprint, do peer reviews. Better yet, get an independent reviewer to look at the code. Not all of us can afford professional code review companies; so start small. Find experts at local meetups, hackathons etc. Ask your friends for recommendations. Prioritize code base that deals with authentication, authorization, encryption, output encoding, input validation, third party integration. Once you have money, hire professionals.

6. Change all default passwords.

We’re not in a post-password world yet. A lot of software products come with default usernames and passwords. Be it a database, or your favorite content management software you just installed. Change the passwords immediately after installing them. Not to say, ensure sufficient strength for your password… and trust none of your employees are like the guy in this picture.

And again, we’re not in a post-password world yet. So, ensure none of your employees are reusing passwords across any two sites.

7. Dev environment is only for developers
There is no need for you to expose your development, testing or staging environments to the internet. Since only a handful of developers are accessing it, firewall it. Allow access only from known IP addresses. Block everything else.

8. Offsite (cold) backups
Backup your databases offline, unconnected to the internet in any way. Encrypt this backup. This is your last line of defense. Guard it well.

Final Thoughts
So, there is no silver bullet or magic wand. Yet, by doing a few simple things right, you could really improve your security posture and reduce your attack surface. Some of the things listed above can be done in a day. Some others, may take a couple of weeks.

I’d love to hear your thoughts on what else startups could do. Share your ideas.