The First Security Engineer's 100-day Checklist

Being the first security engineer in a startup that already operates for a few months or even years can be quite daunting. This security checklist aims to help security engineers and CISOs in early stage companies to prioritize their efforts in the first months of their new job. Have feedback? Let us know!

Categories

Get the PDF version

Timeline

  • First Week
  • First Month
  • First Quarter
  • Later
  • All

Process

  • Automation is key

    After

    With the amount of tasks required, you can easily drown under less-important tasks resulting in losing track of serious unresolved vulnerabilities and substantially diminishing your incident response capabilities. Automate as much as possible in order to free up valuable time for tasks that actually require human expertise and deeper analyses. Take advantage of the multiple solutions offered in the market and of computers analytical power.

    Learn more:

  • Be the point of contact to perform security reviews of architecture

    First quarter

    Be available to the teams for the security reviews of the architecture and update the architecture documentation regularly.

  • Build a process to manage third-party services

    First quarter

    Third-party providers need to be managed from before onboarding to offboarding. This entails a thorough due diligence before and during the relationship as well as frequent risk assessments to keep abreast of the level of access the provider has and the potential vulnerabilities. The contract termination is often overlooked and should be well prepared during contract drafting, notably in terms of data migration and access removal. A checklist of all the tasks to be performed during onboarding and offboarding should be set up and regularly updated.

    Learn more:

  • Create a flag for security-related tasks

    First month

    If the company has an issue tracking system (such as JIRA), make sure the security-related issues can be identified easily or work with the team managing the system to create a special flag or a project. Communicate about this new category to the employees and clarify how and when to use it. You can also use a dedicated vulnerability management system such as ThreadFix which can be integrated with JIRA.

  • Create security incident response plan

    First quarter

    Define what are security incidents and design the response plan outlining the tasks and roles. Communicate around the response plan and make sure the employees are aware of their roles through regular training and simulation exercises.

    Learn more:

  • Determine if there are pending security tasks

    First month

    Oftentimes, even if vulnerabilities have been reported (in JIRA for example), they are not addressed because people did not know they had to address them or did not realize that they needed to be fixed immediately, or did not allocate the resources to assess and fix the issue.

  • Determine who was informally in charge of security

    First week

    Even though it was not within an official capacity, chances are someone was handling some security aspects for the company. Take the time to meet early on with the “security champion” not only to gather precious information about the current state of things but also to agree on his/her scope onwards should the person stay involved in security tasks.

  • Enforce a process for security code reviews

    First quarter

    Work with the developers to set up a process and a checklist for security code reviews in order to empower them to run manual and automated security code reviews themselves. Be available to answer their questions and be ready to assist if needed.

    Learn more:

  • Enforce usage of password managers with strong password policies

    First quarter

    Your users will only need to remember one master password. All other passwords can be complex and long, the password manager will take care of storing them and retrieving them when needed. The password manager can also generate random strong passwords to be used.

    Learn more:

  • Fix the most urgent issues

    First month

    Do not be alarmed or overwhelmed by the number of vulnerabilities uncovered during the audits. All do not need to be fixed right away, you can draw up a plan to fix them over time. However, do not defer fixing the most critical issues. If you identify a serious vulnerability during one of the audits and security reviews, you should address and fix the issue immediately. If you can’t fix it, mitigate it.

  • Implement and maintain company security policies and procedures

    After

    Draft security policies and procedures for the company. Make sure they are stored in accessible repositories and communicate around their publication. Set up a process to review and update them regularly at a certain frequency or when a specific event occurs.

    Learn more:

  • Include security in the onboarding/offboarding process

    First quarter

    For onboarding/offboarding processes of permanent and temporary employees, a checklist should be set up and regularly updated. The list should include all the tasks to be done when an employee, intern or contractor joins or leaves the company, including any information to be passed on to the newcomers.

    Learn more:

  • Include security testing in the development process

    First quarter

    Work with development teams to include static and dynamic application security testing in the development process.

    Learn more:

  • List and prioritize the issues

    First month

    Compile the issues uncovered during the general and specific security audits, then prioritize by risk. Setting up a vulnerability management system such as ThreadFix will be helpful.

  • Ask questions and take notes during onboarding

    First week

    Regardless of the maturity of the onboarding process at the company, whether formal or informal, seize the opportunity to ask questions and take extensive notes, these will be useful as you get settled into your role. Pay extra attention to the security aspects during the onboarding. You can compile your observations within a discovery report.

  • Perform a security review of the architecture

    First month

    Review the elements of the architecture and the interfaces between them. Using the list of assets, you should be able to map the elements, draw the interconnections and identify flaws in communication protocols, servers configurations, databases choices…

  • Prepare the groundwork for external security tests

    After

    Before embarking on independent security assessments and penetration tests, it is good practice to run checks and correct some commonly identified issues (such as missing patches, weak or default passwords used, unsupported operating systems or missing input/output data validation) in order to use the external auditors time and expertise on more subtle issues.

    Learn more:

  • Set up and facilitate a public bug bounty program

    After

    A bug bounty program will allow external hackers to report vulnerabilities. Most of the bug bounties programs allow you to offer rewards for bugs found. A lot of the reports won’t be valuable and you need security aware people inside your development teams to evaluate the bugs you receive. These programs are good additions to other security initiatives and can’t by no means be considered as enough.

    Learn more:

  • Structure and be the technical resource for the sales team and customers

    After

    As a security engineer, you might also be the go-to resource for sales teams that require help filling in security forms. Spend some time retrieving and structuring all the previous requests to save time for future questionnaires.

  • Understand product development processes

    First week

    As part of your first week exploration, you need to gather enough information from the key stakeholders in order to have a clear understanding of the product development processes (steps, key milestones, teams involved, governance structure…). It can be documentation or detailed oral explanations that should be written down. It will serve as a basis when you get to introduce security awareness and tasks within the processes.

  • Be smart

    First week

    As a security engineer your job is to improve the security of your new company. It’s tempting to show off how much you know about security and cybersplain everyone how insecure their setup is. Don’t just take your previous experiences and more mature companies as the go-to model. Understand what’s at stake (risk management). It’s easy to suffocate an agile startup with heavy security that does not scale well. Security Engineers operate inside a business and understanding the business before enforcing GovAgency-like security measures is key.

Culture

  • Be humble and respectful - Kill the shame game!

    First week

    As a general rule of thumb, adopting a humble and respectful demeanor is a factor of success for every newcomer within an organization. Being too hasty and judgmental in pointing out the shortcomings in the company’s security will not earn you the respect of your new colleagues, rather it will drive them away. Take comfort in the fact that if the company deemed there were no issues, you would not have been hired!

  • Build relationships with the stakeholders

    First week

    If it was not included in your onboarding documentation, ask for the list of the key stakeholders in the organization, whether developers, operations, leaders or managers. Your manager might see the importance of accompanying you to introduce you. Arrange together to meet with them and discuss their understanding of security, of your role and their concerns.

  • Do a security training for engineers and non-engineers

    First quarter

    Liaise with HR or the training department to set up a targeted security training for all employees, whether engineers or not. The training should not be a list of instructions, rather an explanation as to why certain rules have to be put in place. You can include technical details but make them accessible for all skill levels. The training should be included in the onboarding process of the newcomers.

  • Don’t create a security awareness program (they don’t work) but…

    After

    … enable and infuse a security culture

    Don’t make security a one-day annual training everyone has to go through and then forget about. Permanent and contract employees need to be aware at all times of security threats, beginning with how they set and handle their passwords, use their emails, laptops and external drives.

    Learn more:

  • Meet with fellow security engineers from similar companies

    First quarter

    It is a good practice to share and discuss with fellow professionals. As such, if you are not already a member of a professional group in your area, look for the local chapter of Information Security communities. You could also reach out directly to fellow security engineers, whether in same business line or not, to exchange ideas about your jobs and responsibilities or to discuss how they navigated being the first security engineer in their organization, if they were.

    Learn more:

  • Never stop learning!

    After

    Managing security is an ever-changing landscape, so you need to keep yourself updated on the practices, tools, zero-day vulnerabilities, patches etc. It can seem overwhelming, but there are some websites on which you can get regular information.

    Learn more:

Application Security

  • Add a security policy to the websites

    First month

    When security researchers discover security vulnerabilities in the web services of the company, they will need the channel to report them properly to the company. By adding a security policy, such as security.txt, to the websites, you help them easily get in touch with you about the uncovered security issues. You should mention that you support responsible disclosure allowing you time to assess and fix the reported vulnerabilities.

    Learn more:

  • Audit DNS settings

    First month

    As more and more day-to-day business activities and revenue rely heavily on the DNS, it is important to check it as soon as possible and regularly afterward.

  • Audit the applications

    First month
  • Enforce two-factor authentication

    First quarter

    Wherever possible, make sure two-factor authentication (2FA) is enforced. It requires the user to provide a second piece of information on top of a password which adds strength to the login process.

    Learn more:

  • Ensure dependencies are secure

    First quarter

    Include security in all steps of the product development process and not just at the testing phase. Security-minded developers check the dependencies for known bugs and vulnerabilities before using them and they make sure to keep updated when zero-days are found or patches are available.

    Learn more:

  • Help engineering and business teams protect sensitive business logics

    After

    The attacks representing the most significant business risk for our organizations are often attacks targeting sensitive business functions of our applications. Work with business and engineering teams to identify the biggest threats and implement monitoring and protection solutions to automatically remediate these threats.

    Integrate security automation into your app

  • Make sure everything is properly encrypted

    First quarter

    When it comes to cryptography, don’t use your own but use standards. Encrypt everything: computers and mobile devices handed out to employees during the onboarding process. Turn on encryption for onsite and cloud backups. Use HTTPS to protect the users of your applications.

    Learn more:

  • Protect from intrusions and data breaches

    After

    Use tools like Sqreen to prevent data breaches, protect your customers, stop business logic attacks and get full visibility on your security.

  • Retrieve and audit the backups or set up new backups

    First month

    In today’s business world, company data are the most precious assets and backups are therefore crucial. Check the integrity of previous backups and make sure the settings are correct for the future backups with sufficient storage space available. If there are no backups, set up immediately.

  • Secure your emails with DMARC

    After

    Emails are usually the weak door for attacks, especially through phishing and spoofing. A single email can make serious damages. You can implement DMARC (Domain-based Message Authentication, Reporting and Conformance) to protect your users from fraudulent emails.

    Learn more:

  • Structure secrets management

    First quarter

    Secrets such as private keys are extremely sensitive data and must not be stored unprotected. They should be securely stored in a vault. Some vaults can manage certificates as well.

    Learn more:

  • Think about centralized authentication

    After

    The benefits of centralized authentication for the users is having a single set of credentials for all their applications. From a security standpoint, it enables to handle only one account and avoids forgetting to disable an account during offboarding (and it saves time also during onboarding instead of creating an account in each application)

    Learn more:

Infrastructure Security

Monitoring

  • Assess the assets information

    First month

    As a first step, assess the availability and freshness of the assets information. Is there a list of the hardware? Is there a list of the applications used within the company? Is there an employee directory and a list of the users’ accounts? Is there a list of the third-party providers and the contracts? When were these lists last updated? Employee directory might be the easiest to retrieve as personnel department should be able to provide up-to-date records with dates of joining and leaving the company. As for the other lists, you will probably have to build them or update them if they exist.

  • Audit cloud providers

    First month

    Know your cloud services! Security is the first concern when it comes to cloud computing. Examine the settings and SLAs of the cloud services, whether application, platform or infrastructure, and compare with what was agreed on in the contracts. Take note of the flaws in the contracts to renegotiate them if needed. Cloud providers might be reluctant to be audited beyond providing documentation of their policies and procedures. Prioritize the audits requests based on the service criticality or the data sensitivity.

    Learn more:

  • Build a security dashboard

    After

    Create a security dashboard to give you an overview of the security efforts. Avoid manual reporting, all the data should be automatically provided by the solutions used.

  • Evaluate third-party providers

    After

    Conduct thorough assessments of the third-party providers to make sure they are secure. Renegotiate the contracts to strengthen the responsibilities of the providers and the service levels required.

  • Perform a first security audit

    First month

    Design and perform a first security audit to understand the most critical security vulnerabilities. This first audit should be broad in scope but not too detailed as other more thorough audits will be performed for specific areas.

    Learn more:

  • Perform deeper vulnerability testing, risk analysis and security assessments

    After

    Schedule to perform deeper tests and assessments on all areas (infrastructure, applications, people) to complete the audits performed previously

  • Protect against Denial of Service attacks

    After

    Denial of Service (DoS) attacks are attempts to affect the availability of the websites or applications to legitimate users. Distributed Denial of Service (DDoS) are larger scale attacks pursuing the same objective. These attacks can be devastating for a business. Thus taking actions to protect the systems and mitigate the effects of the attacks is key.

    Learn more:

  • Set up a centralized logging platform

    First quarter

    Logs are the most precious assets to monitor the environment and to investigate a suspicious activity or a security breach. A centralized log platform enables to make the most out of the analytics capabilities and provides a view across all themes (applications, network, users, etc.)

    Learn more:

  • Update or build the list of applications

    First month

    If you have been handed a list of the applications in use within the company, make sure it is up-to-date or take time to update the information about the major applications first and schedule to update the rest of the list comprehensively as soon as possible. If there is no application list, you should build it. Ask if the employees have (or had previously) admin rights to install software themselves on their computer and identify the shadow IT.

  • Update or build the list of devices

    First month

    If you have been handed a list of the devices, make sure it is up-to-date or take time to update the exposed machine’s information first and schedule to update the list thoroughly as soon as possible. If the company has a BYOD policy, list those devices as well with the identification of the employee. If there is no device list, you should build it. The list should at least include information such as IP, type of device and physical location if appropriate.

    Learn more:

  • Update or build the list of third-party providers

    First month

    You will need to know every company or individual which has direct or indirect access to the company’s systems or sensitive data. List or update the list of third-party providers and the contracts data. One critical information is the date of contract renewal or termination and the data they have access to. You will also need to know how the provider’s teams access the systems and which rights are assigned to them.

We’re publishing great new resources every week. Get them sent straight to your inbox.