Bootstrapping a Security Team

Kyle Randolph
Jul 21, 2017 · 3 min read

I am frequently asked about how to bootstrap an application security program in a startup. Here’s an email I’ve been sharing:

Have your lead security engineer do the following to win friends and influence people:

  • Security Cabal — anyone can join, meet weekly or biweekly to discuss security topics and assign security tasks for folks’ 20% time
  • also have a chat room or email list to share and discuss security news
  • Quarterly presentations to exec. staff in CSO format
  • Ideally it would be worthy of presenting to the board if asked. Nasdaq found something like 80% of public co. boards get updates on security
  • Weekly 5 minute updates to Engineering/Product about product security. Long form once every 3–6 months
  • Occasional presentations to the whole company about security awareness and big deals
  • Security office hours
  • Network of security champs in other teams
  • “Security Hero” recognition for folks who do something awesome for security. We give out shirts.
  • Buy Engineering donuts or pick up their bar tab periodically. Very important!
  • Brag often to an invisible changes list about cool stuff you do
  • JIRA everything, this is a cheap source of metrics you can use to justify security budget and heads
  • Have a security dashboard for each team showing security backlog, metrics, top risks, sensitive assets, common security issues and how to address them

Great blog on security for startups

Snyk for finding javascript vulnerabilities

SourceClear for vulns in third party code

Twistlock for Docker security (Just straight Docker may work better for your team)

CIS benchmarks — blindly follow these guidelines for hardened OS and Docker images until you have time (ha) to customize

CAIQ — all the red tape infosec stuff you would do in an ideal situation. We do about half of these in some form or another. It has a matrix mapping to ISO 27001, PCI, HIPPA in your case, etc.

  • Alternatively consider the Forrester Maturity Model if you can google a free copy. In general googling will find some vendor making forrester documents available for free
  • Get familiar with ISO 270x standards, particularly 01, 02, 18, and 17 when it’s available

Make sure you have a security@yourcompany.com email address monitored. Random folks will report issues there.

Consider a bug bounty program. Pay a few $k/month for the triage service plus 20% commission on bounties. Start out with a few vetted top researchers in a private program and low bounties, raise over time. You may not want to pay for low severity bugs at all if you don’t expect to have the bandwidth to fix them, on the other hand, sometimes low-severity bugs get combined into a high severity bug (we find a few cases of this each year).

AWS Tools — Inspector, Trusted Advisor, IAM, Cloudtrail. We use a matrix of AWS accounts and the following AWS Account Security Elements:

Risk?Strong PasswordIAMMFAonRootOkta?Trusted AdvisorSecurity ContactSecurity MonkeyInspectorConfig RulesCloudTrailPassword PolicyNoRootAPIKeys

Repoguard — keep secrets out of git. This is one of the easiest ways for your whole infrastructure to get massively compromised.

Best summary of threat modeling — distill this into your own short version to use in your technical design phase or design docs

Consider SAML SSO, like Okta or OneLogin, to make offboarding employees less painful.

auth0.com is the way to go if you want to implement SAML SSO for your customers to use. You could use it for all of your authentication (including passwords and API)… seriously consider that, the buy vs. build when you’re very small is very much in favor of buy!

Crypto — See Cryptographic Right Answers

Etsy security presentations start here and the presentations link to other ones

IAPP for post-GDPR and other privacy best practices

Public security information — check out https://www.optimizely.com/security for an example

CISO Toolkit

Security news: http://www.theregister.co.uk/security

Feel free to contact me with any questions!

)

Kyle Randolph

Written by

Security Engineer at Optimizely | Security and Bitcoin

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade