Bootstrapping a Security Team
I am frequently asked about how to bootstrap an application security program in a startup. Here’s an email I’ve been sharing:
Have your lead security engineer do the following to win friends and influence people:
- Security Cabal — anyone can join, meet weekly or biweekly to discuss security topics and assign security tasks for folks’ 20% time
- also have a chat room or email list to share and discuss security news
- Quarterly presentations to exec. staff in CSO format
- Ideally it would be worthy of presenting to the board if asked. Nasdaq found something like 80% of public co. boards get updates on security
- Weekly 5 minute updates to Engineering/Product about product security. Long form once every 3–6 months
- Occasional presentations to the whole company about security awareness and big deals
- Security office hours
- Network of security champs in other teams
- “Security Hero” recognition for folks who do something awesome for security. We give out shirts.

- Buy Engineering donuts or pick up their bar tab periodically. Very important!
- Brag often to an invisible changes list about cool stuff you do
- JIRA everything, this is a cheap source of metrics you can use to justify security budget and heads
- Have a security dashboard for each team showing security backlog, metrics, top risks, sensitive assets, common security issues and how to address them
Great blog on security for startups
Snyk for finding javascript vulnerabilities
SourceClear for vulns in third party code
Twistlock for Docker security (Just straight Docker may work better for your team)
CIS benchmarks — blindly follow these guidelines for hardened OS and Docker images until you have time (ha) to customize
CAIQ — all the red tape infosec stuff you would do in an ideal situation. We do about half of these in some form or another. It has a matrix mapping to ISO 27001, PCI, HIPPA in your case, etc.
- Alternatively consider the Forrester Maturity Model if you can google a free copy. In general googling will find some vendor making forrester documents available for free
- Get familiar with ISO 270x standards, particularly 01, 02, 18, and 17 when it’s available
Make sure you have a security@yourcompany.com email address monitored. Random folks will report issues there.
Consider a bug bounty program. Pay a few $k/month for the triage service plus 20% commission on bounties. Start out with a few vetted top researchers in a private program and low bounties, raise over time. You may not want to pay for low severity bugs at all if you don’t expect to have the bandwidth to fix them, on the other hand, sometimes low-severity bugs get combined into a high severity bug (we find a few cases of this each year).
AWS Tools — Inspector, Trusted Advisor, IAM, Cloudtrail. We use a matrix of AWS accounts and the following AWS Account Security Elements:
Risk?Strong PasswordIAMMFAonRootOkta?Trusted AdvisorSecurity ContactSecurity MonkeyInspectorConfig RulesCloudTrailPassword PolicyNoRootAPIKeys
Repoguard — keep secrets out of git. This is one of the easiest ways for your whole infrastructure to get massively compromised.
Best summary of threat modeling — distill this into your own short version to use in your technical design phase or design docs
Consider SAML SSO, like Okta or OneLogin, to make offboarding employees less painful.
auth0.com is the way to go if you want to implement SAML SSO for your customers to use. You could use it for all of your authentication (including passwords and API)… seriously consider that, the buy vs. build when you’re very small is very much in favor of buy!
Crypto — See Cryptographic Right Answers
Etsy security presentations start here and the presentations link to other ones
IAPP for post-GDPR and other privacy best practices
Public security information — check out https://www.optimizely.com/security for an example
Security news: http://www.theregister.co.uk/security
Feel free to contact me with any questions!
