The SaaS CTO Security Checklist

Security shouldn’t feel like a chore. This is a basic checklist that any SaaS CTO (and anyone else) can use to harden their security. Select your startup stage and use these rules to improve your security.

Company Stage

  • Seed
  • Series A
  • Post-Series A

Your employees

  • Accustom everyone to security practices

    Seed

    Humans are often the weakest link in the security of a startup. By explaining how an attacker could infiltrate your company, you will increase your employees’ awareness and thus minimize the chance of them falling for basic traps.

    Ten Recommendations for Security Awareness Programs

  • Accustom your team to locking their computers

    Seed

    Your office may be secured, but you will eventually have to receive external people for a party or a meeting. Locking all the machines is a great habit have. If you get into the habit of locking your machine at the office, you’ll be unlikely to forget to also do it in a Starbucks or at a meetup.

    Read more:

    7 ways to lock your macbook

  • Do not share accounts

    Series A

    Sharing accounts makes it hard to understand who is using the service. You should avoid it as much as possible. Keep a log of shared accounts and make sure you change passwords if an employee leaves.

  • Encrypt all employee laptops & phones

    Seed

    By encrypting all laptops, you protect both your company’s assets and your employees’ private files. Encryption of computers or phones used for work should be encrypted during the onboarding process. It will protect against both malicious activities and accidents (e.g. an employee’s child accidentally wiping a mailbox).

    Read more:

    Mac Encryption

    Linux Encryption

    Microsoft Encryption

  • Follow an onboarding / offboarding checklist

    Seed

    This checklist should contain a list of all the steps you need to enforce when an employee, contractor, intern, etc., joins your company. A similar list should also be used when someone is leaving your team to ensure that they no longer have access to any of your company’s resources.

    Read more:

    Awesome Onboarding

    Rippling

  • Require 2FA in your services

    Seed

    Your employees should all use 2-factor authentication (2FA) on all the services used. Period. If their password is stolen, the attacker cannot use it without the second factor.

    Read more:

    Multi-factor authentication

    Set up 2-Step Verification for your Google domain

    Require 2FA for your Slack team

  • Use a password manager to ensure you only use strong passwords

    Seed

    Using complex and unique passwords for every website you/your team uses is a must-have. This can only be achieved with Password managers.

    Great password managers are:

    Dashlane

    LastPass

    iCloud Keychain

  • Use centralized account management

    Series A

    A centralized place with all user authorizations is the best way not to forget anything once you need to update a user profile (e.g., if an internship came to its end).

    Set up your own custom SAML application on Google apps

Your infrastructure

  • Backup, then backup again

    Seed

    Backup all your critical assets. Ensure that you attempt to restore your backups frequently so you can guarantee that they’re working as intended. S3 is a very cheap and effective way to backup your assets:

    Guide to backup files to Amazon S3

  • Centralize and archive your logs and make them meaningful

    Series A

    Logs are necessary to trace what happened after an incident. Understanding how an attack was performed is key to make sure it never happens again. Many solutions exist to gather your logs. The more advanced solutions will help you cut through the noise and find the important data. One advice is to always make sure the system time on your machines is in sync. This allows you to cross-correlate logs.

    Read more:

    Network Time Protocol

    Elastic

  • Check your website’s basic security

    Seed

    Websites are vulnerable to many different classes of vulnerabilities. Some may be prevented by the appropriate configurations on the server. Static websites may expose your users to less risks.

    Check your website configuration:

    Evaluate the security of your website

    Security Headers

  • Isolate assets at the network level

    Seed

    Only your public APIs should be exposed to the Internet. You should isolate your networks to prevent any unauthorized accesses to your database. This will prevent attackers from connecting to it and attempting to crack the password, or exploit vulnerabilities.

    Read more:

    VPCs and Subnets on AWS

  • Keep a list of your servers

    Seed

    This is built-in if you are using a cloud service and all your machines are registered or spawned through it. Otherwise, you will need to create and maintain a list of your assets (servers, network devices, etc.). Review it on a regular basis to determine if you still need them, keep them up to date, and ensure that they benefit from your latest deployments.

  • Keep your OS up to date

    Seed

    You should download all of your OS’s security updates and regularly update your machines. As a young startup, you should probably use a PaaS that will handle these updates for you (Heroku, AWS Beanstalk, etc.).

    Heroku

  • Know how to redeploy infrastructure from scratch

    Post-Series A

    Knowing how to quickly spawn a new infrastructure and populate it with data from your backups is critical in case of disaster recovery after an attack (or a mistake).

    Read more:

    AWS Cloudformation

    Google Cloud Deployment Manager

  • Protect your application from DDoS attacks

    Series A

    A Distributed Denial-of-Service Attack (DDoS) can have devastating consequences on businesses. Basic DDoS protections can easily be integrated with a CDN such as Cloudflare or CloudFront.

  • Restrict internal services by IP addresses

    Seed

    Connections to your infra and non-public properties (hosted CIs, Admin interfaces, databases etc.) should only be accessible through a bounce host (VPC, VPN etc.)

    Read more:

    Securely Connect to Linux Instances Running in a Private Amazon VPC

  • Use SSL certificates to secure people using your website

    Seed

    Encrypting communications is not only about privacy, but also about your users’ safety, since it will prevent most attempts at tempering with the data they receive.

    Use Let’s Encrypt to get a free SSl certificate.

    You can also choose your own custom certificate (which may allow you to get a beautiful green bar if you pay for the extra “Extended Validation”):

    Digicert

    RapidSSL

  • Watch for unusual patterns in your metrics

    Series A

    Takeovers will often be used to steal your data or setup your servers to be used as bouncers. These attacks can be detected by watching for unusual patterns in metrics such as network bandwidth, CPU and memory consumption, and disk usage.

    New Relic

    AppDynamics

Your company

  • Be honest and transparent about any data you collect

    Seed

    In the case of a breach, the attackers may disclose the data they gathered. Your customers need to be aware of what data you’re storing.

    Read more:

    Customer Data: Designing for Transparency and Trust

    GDPR checklist

  • Do not share WiFi

    Seed

    Sharing WiFi networks with guests or neighbors may give them the opportunity to gather information on your network, and allow them to access resources protected by source IP. Use an isolated and dedicated guest WiFi network. Set up a calendar reminder to change the password every two months, since this password is shared.

  • Ensure your domain names are secured

    Seed

    Domain names should be renewed regularly. If you have bought one from a third party, you should also make sure that the authoritative name server is your own.

    Read more:

    8 Tips for Protecting Your Domain Names

  • Have a public security policy

    Series A

    This is a page on your corporate website describing how you plan to respond to external bug reports. You should advertise that you support responsible disclosure. Keep in mind that most of the reports that you receive aren’t relevant. Don’t freak out if you receive so called “critical disclosures”

    Great examples:

    Intercom

    Zendesk

    Google Cloud

  • Have a security incident response plan

    Post-Series A

    Having an incident response plan will allow you to communicate in the best and fastest manner about an incident.

    Read more:

    Tips for Starting a Security Incident Response Program

  • Have an internal security policy

    Post-Series A

    The internal security policy is a short document stating the security requirements in your company. It also defines the different point of contacts for security.

    Read more:

    How to Start Your IT Security Plan

  • Make an inventory of your company’s assets

    Post-Series A

    Being aware of your company’s assets is an essential first step when starting to scale your security organization.

    Read more:

    Cybersecurity Risk Assessment for Startup CTOs

    How to handle Asset register (Asset inventory) according to ISO 27001

  • Make sure all your critical services are secured

    Seed

    As a company you rely on a multitude of services like Google Apps, Slack, Wordpress etc. Don’t settle for the security defaults of these tools. They can be an easy attack vector if not configured properly. Also make sure you update them regularly.

    Read more:

    How to harden your Google Apps

    Hardening Wordpress

  • Make sure your email is secured

    Seed

    Email is an important attack vector for cyber attacks. Be aware of phishing attacks! At a later stage, you can also implement the DMARC protocol to secure your emails and domains.

    DMARC

  • Set up a bug bounty program

    Post-Series A

    A bug bounty program will allow external hackers to report vulnerabilities. Most of the bug bounties program allow you to offer rewards for bugs found. A lot of the reports won’t be valuable and you need security aware people inside your development teams to evaluate the bugs you receive. These programs are good additions to other security initiatives and can’t by no means be considered as enough.

    Places to start:

    Launching an Efficient and Cost-Effective Bug Bounty Program

    HackerOne

    BugCrowd

    Cobalt

  • Take special care of your non-tech employees

    Series A

    Non-tech employees are less used to technical trickery and can be deceived more easily than others. This can open the door to ransomware or confidentiality issues. They should be trained and empowered to be distrustful and to preserve the company’s assets.

    Read more:

    The six most common ways non-tech people fall victim

Your application

  • Don’t store credit card information

    Seed
  • Perform security audits

    Post-Series A

    Security audits take an external point of view on your infrastructure and products. They are often required when selling to enterprise or for compliance reasons. But if you can afford it, perform penetration tests regularly. Don’t freak out when receiving your first report, it’s often difficult to make them actionable. Keep your company stage in mind. Not every vulnerability identified should be fixed right away.

    Read more:

    10 things you need to know before hiring penetration testers

  • Monitor your dependencies

    Seed

    Modern applications are built using dozens of third party libraries. A single flaw in any of these libraries may put your entire application at risk. Some tools allow you to monitor your dependencies against vulnerabilities:

    Sqreen

    Github

    Snyk

  • Run it unprivileged

    Seed

    If an attacker successfully attacks your application, having it running as a restricted-user will make it harder for the attacker to take over the host and/or to bounce to other services. Privileged users are root on Unix systems, and Administrator or System on Windows systems.

  • Use a real-time monitoring & protection tool

    Series A

    A real-time monitoring and protection tool like Sqreen allows you to integrate security into your app quickly. Sqreen will enable you to get full visibility on your security, prevent data breaches, protect your customers, and stop business logic attacks. Customize your application’s response to attacks (block attack, log stack trace etc. ) and get notified when something important happens.

Your product users

  • Encourage your users to use 2FA

    Series A

    As you get higher profile customers, you will be required to implement stronger security practices. This includes offering them 2-factor authentication (2FA), role-based account management, etc. It is recommended to use a third-party solution to manage authentications on your app.

    Read more:

    Auth0

    Okta

  • Enforce a password policy

    Seed

    Your customer data will be much harder to steal if you require complex passwords: mixed case, special characters, minimum length, etc.

    Read more:

    Authentication Guidance for the Modern Era

  • Monitor your users’ suspicious activities

    Series A

    For SaaS apps, user’s are often the most significant source of critical cyber attacks. This is simply because the attack surface for logged-in users is much broader. You need to make sure you monitor your users for irregular activities like: suspicious routes access, spikes of HTTP errors, suspicious geolocations, TOR connections, etc. Being able to identify and block an attacker early often avoids a lot of issues down the road.

    Tools:

    Sqreen

    Castle

Your code

  • Enforce a secure code review checklist

    Seed

    Security should always be kept in mind when developing software. But enforcing an ever increasing list of security checks in code reviews is key to avoid a lot of vulnerabilities. The checks should be different depending on where the code is. Dealing with user entry is one thing, dealing with business structures is another: the concerns are related to the context. In addition to common sense, keep in mind the typical security flaws, like the OWASP Top 10.

    Read more:

    The OWASP top 10 - 2017

  • Keep secrets away from code

    Seed

    Never commit secrets in your code. They should be handled separately to prevent them accidentally being shared or exposed. This allows a clear separation between your environments (typically development, staging, and production).

    Read more:

    The Twelve-Factor App

  • Maintain a backlog of security concerns in your issue tracking tool

    Seed

    Every developer should contribute to maintaining a list of security issues for the backlog. Making vulnerabilities available to the rest of the team will increase the security awareness in the company.

  • Never do cryptography yourself

    Seed

    Always rely on existing mechanisms, libraries and tools. Cryptography is an expertise. Building your implementations, or using flags and options you don’t fully understand will expose you to major risks.

    Learn more:

    https://en.wikipedia.org/wiki/Bcrypt

    http://crypto.stackexchange.com/questions/43272/why-is-writing-your-own-encryption-discouraged

    https://download.libsodium.org/doc/

    https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-stores-your-passwords/

  • Perform security oriented test sessions

    Series A

    Once in a while, the entire technical team should sit together and attack the whole organization. This is a great time to test for account isolation, token unicity, unauthenticated paths, etc. You will massively rely on your browser’s web console, curl, and 3rd party tools such as OWASP ZAP, Burp, Nmap, or OpenVAS. Keep in mind that these tools generate a lot of false positives. You can cut through false positives and ease the remediation process by installing Sqreen in monitoring mode on your app.

    Read more:

    OWASP Testing Guide

  • Use a secure development life cycle

    Post-Series A

    The secure development lifecycle is a process that helps tackle security issues at the beginning of a project. While rarely used as is, it provides useful insights at all stages of the project, from the specification to the release. It will allow you to enforce good practices at every step of the project life.

    Read more:

    OWASP Secure Software Development Lifecycle Project

    Microsoft Security Development Lifecycle

  • Use a static security code analysis tool

    Seed

    Static code analysis tools can quickly overwhelm you with a lot of meaningless false-positives. But switching-on security-focused tools can help you discover vulnerabilities inside your code and most importantly increase the security awareness inside your team. Integrate these tools into your workflow to reduce friction. Post-commit checks that automatically comment where code reviews are performed are ideal.

    Tools:

    Codacy

    Other tools

We’re publishing great new resources every week. Get them sent straight to your inbox.