Being the first security engineer in a startup that already operates for a few months or even years can be quite daunting. This security checklist aims to help security engineers and CISOs in early stage companies to prioritize their efforts in the first months of their new job. Have feedback? Let us know!
Automation is keyAfter
With the amount of tasks required, you can easily drown under less-important tasks resulting in losing track of serious unresolved vulnerabilities and substantially diminishing your incident response capabilities. Automate as much as possible in order to free up valuable time for tasks that actually require human expertise and deeper analyses. Take advantage of the multiple solutions offered in the market and of computers analytical power.
Be the point of contact to perform security reviews of architectureFirst quarter
Be available to the teams for the security reviews of the architecture and update the architecture documentation regularly.
Build a process to manage third-party servicesFirst quarter
Third-party providers need to be managed from before onboarding to offboarding. This entails a thorough due diligence before and during the relationship as well as frequent risk assessments to keep abreast of the level of access the provider has and the potential vulnerabilities. The contract termination is often overlooked and should be well prepared during contract drafting, notably in terms of data migration and access removal. A checklist of all the tasks to be performed during onboarding and offboarding should be set up and regularly updated.
Create a flag for security-related tasksFirst month
If the company has an issue tracking system (such as JIRA), make sure the security-related issues can be identified easily or work with the team managing the system to create a special flag or a project. Communicate about this new category to the employees and clarify how and when to use it. You can also use a dedicated vulnerability management system such as ThreadFix which can be integrated with JIRA.
Create security incident response planFirst quarter
Define what are security incidents and design the response plan outlining the tasks and roles. Communicate around the response plan and make sure the employees are aware of their roles through regular training and simulation exercises.
Determine if there are pending security tasksFirst month
Oftentimes, even if vulnerabilities have been reported (in JIRA for example), they are not addressed because people did not know they had to address them or did not realize that they needed to be fixed immediately, or did not allocate the resources to assess and fix the issue.
Determine who was informally in charge of securityFirst week
Even though it was not within an official capacity, chances are someone was handling some security aspects for the company. Take the time to meet early on with the “security champion” not only to gather precious information about the current state of things but also to agree on his/her scope onwards should the person stay involved in security tasks.
Enforce a process for security code reviewsFirst quarter
Work with the developers to set up a process and a checklist for security code reviews in order to empower them to run manual and automated security code reviews themselves. Be available to answer their questions and be ready to assist if needed.
Enforce usage of password managers with strong password policiesFirst quarter
Your users will only need to remember one master password. All other passwords can be complex and long, the password manager will take care of storing them and retrieving them when needed. The password manager can also generate random strong passwords to be used.
Fix the most urgent issuesFirst month
Do not be alarmed or overwhelmed by the number of vulnerabilities uncovered during the audits. All do not need to be fixed right away, you can draw up a plan to fix them over time. However, do not defer fixing the most critical issues. If you identify a serious vulnerability during one of the audits and security reviews, you should address and fix the issue immediately. If you can’t fix it, mitigate it.
Implement and maintain company security policies and proceduresAfter
Draft security policies and procedures for the company. Make sure they are stored in accessible repositories and communicate around their publication. Set up a process to review and update them regularly at a certain frequency or when a specific event occurs.
Include security in the onboarding/offboarding processFirst quarter
For onboarding/offboarding processes of permanent and temporary employees, a checklist should be set up and regularly updated. The list should include all the tasks to be done when an employee, intern or contractor joins or leaves the company, including any information to be passed on to the newcomers.
Include security testing in the development processFirst quarter
Work with development teams to include static and dynamic application security testing in the development process.
List and prioritize the issuesFirst month
Compile the issues uncovered during the general and specific security audits, then prioritize by risk. Setting up a vulnerability management system such as ThreadFix will be helpful.
Ask questions and take notes during onboardingFirst week
Regardless of the maturity of the onboarding process at the company, whether formal or informal, seize the opportunity to ask questions and take extensive notes, these will be useful as you get settled into your role. Pay extra attention to the security aspects during the onboarding. You can compile your observations within a discovery report.
Perform a security review of the architectureFirst month
Review the elements of the architecture and the interfaces between them. Using the list of assets, you should be able to map the elements, draw the interconnections and identify flaws in communication protocols, servers configurations, databases choices…
Prepare the groundwork for external security testsAfter
Before embarking on independent security assessments and penetration tests, it is good practice to run checks and correct some commonly identified issues (such as missing patches, weak or default passwords used, unsupported operating systems or missing input/output data validation) in order to use the external auditors time and expertise on more subtle issues.
Set up and facilitate a public bug bounty programAfter
A bug bounty program will allow external hackers to report vulnerabilities. Most of the bug bounties programs allow you to offer rewards for bugs found. A lot of the reports won’t be valuable and you need security aware people inside your development teams to evaluate the bugs you receive. These programs are good additions to other security initiatives and can’t by no means be considered as enough.
Structure and be the technical resource for the sales team and customersAfter
As a security engineer, you might also be the go-to resource for sales teams that require help filling in security forms. Spend some time retrieving and structuring all the previous requests to save time for future questionnaires.
Understand product development processesFirst week
As part of your first week exploration, you need to gather enough information from the key stakeholders in order to have a clear understanding of the product development processes (steps, key milestones, teams involved, governance structure…). It can be documentation or detailed oral explanations that should be written down. It will serve as a basis when you get to introduce security awareness and tasks within the processes.
Be smartFirst week
As a security engineer your job is to improve the security of your new company. It’s tempting to show off how much you know about security and cybersplain everyone how insecure their setup is. Don’t just take your previous experiences and more mature companies as the go-to model. Understand what’s at stake (risk management). It’s easy to suffocate an agile startup with heavy security that does not scale well. Security Engineers operate inside a business and understanding the business before enforcing GovAgency-like security measures is key.
Be humble and respectful - Kill the shame game!First week
As a general rule of thumb, adopting a humble and respectful demeanor is a factor of success for every newcomer within an organization. Being too hasty and judgmental in pointing out the shortcomings in the company’s security will not earn you the respect of your new colleagues, rather it will drive them away. Take comfort in the fact that if the company deemed there were no issues, you would not have been hired!
Build relationships with the stakeholdersFirst week
If it was not included in your onboarding documentation, ask for the list of the key stakeholders in the organization, whether developers, operations, leaders or managers. Your manager might see the importance of accompanying you to introduce you. Arrange together to meet with them and discuss their understanding of security, of your role and their concerns.
Do a security training for engineers and non-engineersFirst quarter
Liaise with HR or the training department to set up a targeted security training for all employees, whether engineers or not. The training should not be a list of instructions, rather an explanation as to why certain rules have to be put in place. You can include technical details but make them accessible for all skill levels. The training should be included in the onboarding process of the newcomers.
Don’t create a security awareness program (they don’t work) but…After
… enable and infuse a security culture
Don’t make security a one-day annual training everyone has to go through and then forget about. Permanent and contract employees need to be aware at all times of security threats, beginning with how they set and handle their passwords, use their emails, laptops and external drives.
Meet with fellow security engineers from similar companiesFirst quarter
It is a good practice to share and discuss with fellow professionals. As such, if you are not already a member of a professional group in your area, look for the local chapter of Information Security communities. You could also reach out directly to fellow security engineers, whether in same business line or not, to exchange ideas about your jobs and responsibilities or to discuss how they navigated being the first security engineer in their organization, if they were.
Never stop learning!After
Managing security is an ever-changing landscape, so you need to keep yourself updated on the practices, tools, zero-day vulnerabilities, patches etc. It can seem overwhelming, but there are some websites on which you can get regular information.
Add a security policy to the websitesFirst month
When security researchers discover security vulnerabilities in the web services of the company, they will need the channel to report them properly to the company. By adding a security policy, such as security.txt, to the websites, you help them easily get in touch with you about the uncovered security issues. You should mention that you support responsible disclosure allowing you time to assess and fix the reported vulnerabilities.
Audit DNS settingsFirst month
As more and more day-to-day business activities and revenue rely heavily on the DNS, it is important to check it as soon as possible and regularly afterward.
Audit the applicationsFirst month
Perform an audit of the applications, check the dependencies, and the user accounts.
Enforce two-factor authenticationFirst quarter
Ensure dependencies are secureFirst quarter
Include security in all steps of the product development process and not just at the testing phase. Security-minded developers check the dependencies for known bugs and vulnerabilities before using them and they make sure to keep updated when zero-days are found or patches are available.
Help engineering and business teams protect sensitive business logicsAfter
The attacks representing the most significant business risk for our organizations are often attacks targeting sensitive business functions of our applications. Work with business and engineering teams to identify the biggest threats and implement monitoring and protection solutions to automatically remediate these threats.
Make sure everything is properly encryptedFirst quarter
When it comes to cryptography, don’t use your own but use standards. Encrypt everything: computers and mobile devices handed out to employees during the onboarding process. Turn on encryption for onsite and cloud backups. Use HTTPS to protect the users of your applications.
Protect from intrusions and data breachesAfter
Use tools like Sqreen to prevent data breaches, protect your customers, stop business logic attacks and get full visibility on your security.
Retrieve and audit the backups or set up new backupsFirst month
In today’s business world, company data are the most precious assets and backups are therefore crucial. Check the integrity of previous backups and make sure the settings are correct for the future backups with sufficient storage space available. If there are no backups, set up immediately.
Secure your emails with DMARCAfter
Emails are usually the weak door for attacks, especially through phishing and spoofing. A single email can make serious damages. You can implement DMARC (Domain-based Message Authentication, Reporting and Conformance) to protect your users from fraudulent emails.
Structure secrets managementFirst quarter
Secrets such as private keys are extremely sensitive data and must not be stored unprotected. They should be securely stored in a vault. Some vaults can manage certificates as well.
Think about centralized authenticationAfter
The benefits of centralized authentication for the users is having a single set of credentials for all their applications. From a security standpoint, it enables to handle only one account and avoids forgetting to disable an account during offboarding (and it saves time also during onboarding instead of creating an account in each application)
Protect your infrastructure from intrusionsAfter
Make sure to follow the latest security releases and update your infrastructure as soon as they become available. Setting up firewalls and limiting the number of password guesses are some of the measures that can be implemented to protect your servers, and consequently the applications.
Start thinking about hardware protectionAfter
Security threats can also come from physical access to the hardware. Assess the risks for your company’s hardware and plan accordingly.
Assess the assets informationFirst month
As a first step, assess the availability and freshness of the assets information. Is there a list of the hardware? Is there a list of the applications used within the company? Is there an employee directory and a list of the users’ accounts? Is there a list of the third-party providers and the contracts? When were these lists last updated? Employee directory might be the easiest to retrieve as personnel department should be able to provide up-to-date records with dates of joining and leaving the company. As for the other lists, you will probably have to build them or update them if they exist.
Audit cloud providersFirst month
Know your cloud services! Security is the first concern when it comes to cloud computing. Examine the settings and SLAs of the cloud services, whether application, platform or infrastructure, and compare with what was agreed on in the contracts. Take note of the flaws in the contracts to renegotiate them if needed. Cloud providers might be reluctant to be audited beyond providing documentation of their policies and procedures. Prioritize the audits requests based on the service criticality or the data sensitivity.
Build a security dashboardAfter
Create a security dashboard to give you an overview of the security efforts. Avoid manual reporting, all the data should be automatically provided by the solutions used.
Evaluate third-party providersAfter
Conduct thorough assessments of the third-party providers to make sure they are secure. Renegotiate the contracts to strengthen the responsibilities of the providers and the service levels required.
Perform a first security auditFirst month
Design and perform a first security audit to understand the most critical security vulnerabilities. This first audit should be broad in scope but not too detailed as other more thorough audits will be performed for specific areas.
Perform deeper vulnerability testing, risk analysis and security assessmentsAfter
Schedule to perform deeper tests and assessments on all areas (infrastructure, applications, people) to complete the audits performed previously
Protect against Denial of Service attacksAfter
Denial of Service (DoS) attacks are attempts to affect the availability of the websites or applications to legitimate users. Distributed Denial of Service (DDoS) are larger scale attacks pursuing the same objective. These attacks can be devastating for a business. Thus taking actions to protect the systems and mitigate the effects of the attacks is key.
Set up a centralized logging platformFirst quarter
Logs are the most precious assets to monitor the environment and to investigate a suspicious activity or a security breach. A centralized log platform enables to make the most out of the analytics capabilities and provides a view across all themes (applications, network, users, etc.)
Update or build the list of applicationsFirst month
If you have been handed a list of the applications in use within the company, make sure it is up-to-date or take time to update the information about the major applications first and schedule to update the rest of the list comprehensively as soon as possible. If there is no application list, you should build it. Ask if the employees have (or had previously) admin rights to install software themselves on their computer and identify the shadow IT.
Update or build the list of devicesFirst month
If you have been handed a list of the devices, make sure it is up-to-date or take time to update the exposed machine’s information first and schedule to update the list thoroughly as soon as possible. If the company has a BYOD policy, list those devices as well with the identification of the employee. If there is no device list, you should build it. The list should at least include information such as IP, type of device and physical location if appropriate.
Update or build the list of third-party providersFirst month
You will need to know every company or individual which has direct or indirect access to the company’s systems or sensitive data. List or update the list of third-party providers and the contracts data. One critical information is the date of contract renewal or termination and the data they have access to. You will also need to know how the provider’s teams access the systems and which rights are assigned to them.