Security shouldn’t feel like a chore. This second edition of the SaaS CTO Security Checklist provides actionable security best practices for CTOs or developers. Select your startup stage and use these rules to improve your security!
Continue improving your security with Sqreen's monitoring and protection platform. It just takes a few minutes to get started.Try Sqreen now
Accustom everyone to good security practicesseed
People are often the weakest links in any company’s security. By holding trainings to explain how an attacker could infiltrate your company, you will increase their awareness and thus minimize the chance of them falling for common traps. Some things to cover include phishing emails, and the dangers of USB drives and email attachments.
Accustom your team to locking their computersseed
Your office may be secured, but you will eventually have to receive external people for a party or a meeting. Someone with physical access to an employee computer can do a lot of harm in a very short amount of time, so locking all computers is a great habit. If you get in the habit of locking your machine at the office, you’ll be unlikely to forget to also do it in a Starbucks or at a meetup.
Many organizations make it a game to catch fellow employees’ computers unlocked. This is a good way to reinforce the habit of locking your computer for everyone. At Sqreen, for example, if someone catches another person’s laptop unlocked while they’re AFK, they can type “Cookies!” in that person’s Slack. That person will then have to bring in cookies for the office!
Do not share user accountsseries A
Sharing a user account makes it hard to understand who is using the service or to identify who has performed a given action. This makes it much harder to recognize when an account has been taken over by an outside party. It also makes it harder to remove access to an account when employees leave the company, opening that account up to potential abuse.
Encrypt all employee laptops & phonesseed
By encrypting all laptops, you protect both your company’s assets, and your employee’s private files. Encrypting your employee’s phones is the same, and will protect their security in the case of either theft or accidents.
Follow an onboarding / offboarding checklistseed
Onboarding and offboarding are important security moments for your employees. You’ll want to ensure that new employees enact the security measures needed and that your company follows the appropriate steps for employees who are leaving.
Your onboarding checklist should contain a list of all the steps you need to follow when an employee, contractor, or intern joins your company. A similar list can also be used when someone is leaving your team. Ensure that you deprovision all accounts they had access to.
Hire your first security engineerseries B+
As your company grows, you’ll want to bring in a security expert and centralize your application security responsibilities on them. To determine if it’s the right time to do so, ask yourself the following questions:
If you don’t, then it’s the time to strategically consider what your security roadmap should look like, and to find out what kind of security engineer you need.
It’s important to note that you shouldn’t hire a specialized security person too early. Early on, security is something that needs to be baked into your engineering organization rather than immediately offloaded to someone else. Only when your engineering team is fully bought into security but is simply getting overwhelmed should you bring in a specialized security engineer.
Monitor your user’s computersseries B+
The more employees you have, the bigger the risk of them getting infected by malicious software, such as botnets. Using a HIPS system on employee hardware could help you get ahead of any problems via alerts and notifications.
Require 2FA wherever possibleseed
Your employees should all use 2-factor authentication. By adding 2FA, you add an extra layer of security. Should your employee’s password get stolen, the attacker would still be locked out unless they have access to the second factor (e.g. phone app or text) as well. As a CTO, your role is to make sure everyone complies with this rule. Phones are the most commonly used device for second factors, and thus have to be secured accordingly (e.g. with codes or biometry). Another option is to use purpose-built hardware-based 2FA, like Yubikeys.
Use a password manager to ensure you only use strong passwordsseed
Using a complex and unique password for every website is great advice, but it can be very difficult to remember all of them. Rather than reusing passwords or storing your passwords somewhere others could access, use a password manager. Password managers are a great way to manage multiple passwords across sites, since they will remember everything for you with a single master password, and can often generate unique strong passwords for you. Encourage your employees to do likewise, and purchase a business plan to a password manager if necessary.
Some great password managers are:
Use centralized account managementseries A
Having a centralized place with all user authorizations is the best way not to forget anything once you need to update a user profile (e.g. if an internship came to its end). It is also a great place to define the standard account creation process you need for a given user. If you can, implement SSO to simplify and automate this process.
Configuring with Google Apps: https://support.google.com/a/answer/6087519
Add security bugs to your incident tracking toolseed
Every developer should contribute to maintaining a list of security issues that need to be fixed in the future. Making them available to the rest of the team will increase security awareness in your company.
Treat security bugs like any other type of bug – determine their priority based on whether or not they are exploitable and the damage that could be done. Additionally, hold post-mortems for serious security bugs with the team to ensure that everyone gets visibility and learns from them.
Automate security within your SDLCseries B+
If your security practices impact your development velocity, they will be looked at as more of a burden than a valuable step. The best practices today are to take lessons from DevOps and find ways to bring security closer to developers. Leverage tools that can automate security checks and monitoring. Implementing automated SAST/DAST tools, vulnerability dependency scanning, and others will help you catch the obvious flaws before they get into production. Just beware that you’ll have to sift through false positives and that these tools have limited scope.
Enforce a secure code review checklistseed
Security should always be kept in mind while coding. Pull request reviews should be performed with security in mind as well. Depending on where the code is, the checks should be different. Dealing with user entry is one thing, dealing with business structures is another – the concerns are related to the context.
In addition to common sense, keep in mind typical security flaws. For example, many code snippets from places like StackOverflow have not been written with security in mind. If your team pulls code snippets from the Internet, make sure they double check them for security before deploying them.
Security competency is also a good topic to ask about when interviewing a candidate.
Keep secrets away from codeseed
Never commit secrets in your code. They should be handled and stored separately in order to prevent them from accidentally being shared or exposed. This keeps a clear layer of separation between your environments (typically development, staging, and production).
Never do cryptography yourselfseed
Always rely on existing mechanisms, libraries, and tools. Cryptography is an expertise. Building your own implementations, or using flags and options you don’t fully understand, will expose you to major risks. Libraries such as na.cl (https://nacl.cr.yp.to/) expose only a few options and restrict you to the good choices.
Onboard your software engineers with a security trainingseries B+
Secure applications start with secure developers. Your software engineers need to be aware of security best practices in order to write secure code and to perform security-minded code reviews. Since security is usually not something hiring managers consider during recruitment, an initial training at onboarding will help your devs reach a minimum level of security.
Also, consider checking for security competency during the hiring process. This will help you better shape your training.
Some good security training options:
Perform security-oriented test sessionsseries A
Once in a while, the entire technical team should sit together and spend time targeting all parts of the application, looking for vulnerabilities. This is a great time to test for account isolation, token unicity, unauthenticated paths, etc… You will heavily rely on your browser’s web console, curl, and 3rd party tools such as Zap (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project).
The benefit of doing these test sessions yourselves is that your team has the best understanding of your application, and likely where the weak points are. Showing that they can be exploited (or not) is valuable feedback for the team. These sessions complement external pentests quite well.
Use a pre-production analysis toolseed
Pre-production analysis tools like static code analysis (SAST) can help identify some of your low-hanging security fruits. They also improve the overall security awareness of your team when the checks are automatically integrated into the code review process. But keep in mind that these tools generate a lot of false positives that can quickly overwhelm you with meaningless alerts. The best practice is to make them part of your process, but not too rely too heavily on them.
Use a secure development life cycleseries B+
The secure development lifecycle is a process that helps tackle security issues at the beginning of a project. While rarely used as is, it provides good insights at all stages of the project, from the specification to the release. It will allow you to enforce good practices at every stage of the project life.
Automate security once your app is in productionseed
Several tools offer ways to automate custom security protection in production. Wherever possible, leverage your business information and logic to automate monitoring and protection of security situations systemic to your particular business. The more you can automate, the easier you’ll be able to scale your security.
Don’t forget about your FaaS securityseed
If you’re using FaaS in your company, you should ensure that it’s not a weak point for security.
On top of that, FaaS should follow all the security criteria that you apply to your applications - from specifications, to development, to operating in production.
Hire an external penetration testing teamseries B+
Pentesters take an external and naive point of view of your infrastructure and products. They will take nothing for granted and will check even the most basic assumptions, as well as all of your infrastructure. The experience can help focus your security efforts and mindset.
Keep track of your dependenciesseed
Applications are built using dozens of third party libraries. A single flaw in any of these libraries may put your entire application at risk. According to OWASP, one of the most common application security risks is using dependencies with known vulnerabilities. Some tools allow you to check your dependencies for vulnerabilities and ensure that they are up-to-date:
Run it unprivilegedseed
In the case that an attacker does successfully attack your application, having it running as a user with restricted privileges will make it harder for the attacker to take over the host and/or to bounce to other services. Privileged users are root on Unix systems, and Administrator or System on Windows systems.
Use a real-time protection service, like a RASPseed
These days, WAFs are pretty outdated. It’s better to use services that sit closer to your application. These tools protect web applications from attacks at runtime. An Application Security Management (ASM) tool can do for security in your application what APM tools do for performance. They can monitor and protect against all major vulnerabilities (SQL injections, XSS attacks, account takeovers, code injections, etc…) without false positives.
Backup, test your backups, then backup againseed
Backup all your critical assets. Ensure that you attempt to restore your backups frequently so you can guarantee that they’re working as intended. S3 is a very cheap and effective way to backup your assets.
Centralize and archive your logs and make them meaningfulseries A
Logs are very useful for understanding what happened after an incident occurs, finding where an attacker came from, and possibly even who they are. Many solutions exist to gather and organize logs.
Don’t forget, you need to take care that the system time configured on each of your machines is in sync so that you can easily cross-correlate logs. You’ll have a much harder time if they’re not (no pun intended).
Check your website's basic securityseed
Websites are exposed to many different classes of vulnerabilities, and some may be prevented by appropriately configuring the server. Best practices include adding headers such as HSTS, X-Frame-Options, X-Content-Type-Options, etc. Add in a Content Security Policy if possible.
Isolate assets at the network levelseed
Only your public APIs should be exposed to the Internet. You should isolate your networks to prevent any unauthorized access to your database. This will prevent attackers from connecting to it and attempting to crack the password - or exploit vulnerabilities.
Keep your OS & Docker images up to dateseed
You should download all of your OS’s and Docker security updates and regularly update your machines and images. If you use a PAAS provider (Heroku, AWS Beanstalk, etc…), they will take care of this for you. If not, you will need to do it yourself. Ideally, automate this process if possible.
Know how to redeploy your infrastructure from scratchseries B+
Hopefully you never need to, but in the case of a disaster, this allows you to quickly spawn new infrastructure and populate it with data from your backups. This is the perfect use case for disaster recovery.
Monitor exposed servicesseries A
Your developers constantly deploy new services. Step one is to ensure that you keep track of them, but you also want to ensure that they don’t expose sensitive services to the outside world, (for instance, a database accessible from the Internet without network filtering). Using a network scanner will help you ensure that no unexpected services are exposed, and will tell you when new services are vulnerable and should be updated.
Check this cloud friendly tool:
Monitor internal servicesseries B+
It’s a fairly common attitude to not focus on the security of your internal services as much as your external services. However, as you get bigger, you will lose visibility on the services used internally. When you start to lose track of internal services, they become a vector through which viruses or worms could spread. Additionally, more people (like contractors) will have access to your internal network. If it’s not secured, this puts it at risk.
Use encryption on all your websites and APIsseed
Encrypting communications is not only about privacy, but also about your users’ safety, since it will prevent most attempts at tampering with what they receive.
A free popular solution is: https://letsencrypt.org/
Protect your application from DDoS attacksseries A
A Distributed Denial-of-Service Attack (DDoS) can have a real impact on your bottom line and customer experience. Basic DDoS protections can easily be integrated with a CDN, but there are purpose-built DDoS protection tools available as well.
Restrict internal services by IP addressesseries A
Connections to your infrastructure and non-public properties (hosted CIs, admin interfaces, databases etc.) should only be accessible through a bounce host (in a VPC, behind a bastion host or VPN, etc.).
Watch for unusual patterns in your metricsseries A
Takeovers will often be used to steal your data or setup your servers to be used as bouncers. These can be detected by watching for unusual patterns in key metrics, such as network bandwidth, CPU and memory consumption, and disk usage.
Be honest and transparent about any data you collectseed
Should you be breached, attackers may publicize the data that they gather. Your customers need to be aware of what data you’re storing so they’re not caught by surprise.
Additionally, with GDPR now in place, you could face legal and financial repercussions if you collect data about your (European) customers and users that they haven’t consented to give you. Ensure that you are clear about the data that you will collect from users that interact with you.
Build a security-friendly cultureseed
Mistakes happen. People click on phishing emails, reuse passwords, or overlook vulnerabilities in their code. While you should focus on trying to prevent security breaches in the first place, it’s also important to think about what needs to happen after a breach.
From the culture side, the best thing you can do is try and minimize the time between a breach and you finding out about it. This means that your employees have to be trained to recognize potential security breaches, and that you have to build a culture that encourages them to report them. Everyone needs to understand that mistakes are possible and that if they fear that one has happened, they should report their doubt right away, rather than trying to hide it. This can only be achieved with a blameless attitude in the culture and a feeling of psychological safety. Work to instill those feelings.
Create an inventory of your company’s assetsseries B+
A mapping of your company’s assets enables you to monitor the points that need the most attention and vulnerabilities that need to be hardened. You can’t understand your security if you don’t know all the assets that should be secure.
For your servers, this is built-in if you are using a cloud service or a PaaS and all your machines are registered / spawned through it. Otherwise, you will need to review all your assets regularly to determine if you still need them, to keep them up to date, and to ensure that they benefit from your latest deployments.
Do not share your wifi networkseed
Sharing your company wifi network with guests or neighbors may give them the opportunity to gather information on your network, and allow them to access resources protected by source IP. Use an isolated and dedicated guest wifi network instead. Set up a calendar reminder to change the password every two months, since this password is shared among a potentially large number of people outside your organization.
Have a public security policyseries A
This is a page on your corporate website describing how you secure your users and their data, and how you plan to respond to external bug reports. You should advise that you support responsible disclosure. Keep in mind that you will likely receive reports of varying impact, so having a process for prioritizing them is important.
Have a security incident response planseries B+
This will allow whoever is in charge at the time of a breach to communicate accordingly about an incident and will allow for the fastest response. Trying to make your plan up in the heat of the moment can make the impact of breaches much worse.
Have an internal security policyseries B+
This is a short document outlining the security requirements in your company for your employees and defining who is responsible and who they can turn to for all things security. Make this part of onboarding and ensure that it’s easy to find.
Leverage tools to prioritize your securityseries A
Early on, you’ll want to focus on enhancing your security with smart internal practices. However, as you grow, it becomes more and more worth it to bring in some useful security tools. For instance, AWS offers AWS Trusted Advisor which, for a fraction of your billing, will provide you with actionable insights about your infrastructure security. Others can help you with different parts of your total security needs, from your application to your infrastructure.
Make sure all your critical services are securedseed
Many companies rely on 3rd-party services and platforms like Google Apps, Slack, and Wordpress. These services all have default settings that should be improved to increase their security level. All these services should be updated and checked on a regular basis, particularly when new versions come out.
Prepare your security for scaleseries A
Scale comes to each company differently. In many startups, scale occurs on various levels, whether it is in the size of the sales team, a big growth in the engineering team, opening new offices, etc. Each of these scaling events brings specific challenges. For example, how are you gonna run your security onboarding in a new office abroad if the employees there don’t speak the same language? It’s important to evaluate your security policies and practices with each scaling event you have.
Set up a bug bounty programseries A
A bug bounty program will allow external hackers to report vulnerabilities. Most of the bug bounty programs set rewards in place. You need security-aware people inside your development teams to evaluate any reports you receive, so make sure that you have the right internal resources before you set up such a program.
Work with compliance in mindseries B+
As you move into certain industries or upmarket to larger customers, your company might have to move to a formal security certification such as SOC2 or ISO/CEI 27001. Even without making a formal move in this direction, keeping in mind the security measures and the continuous improvement framework these measures recommend is a good inspiration. As you design your security practices, keep one eye on these frameworks and try to align where it makes sense for you.
Ensure that your domain names are protectedseed
Ensure that your domain names are protected Domain names should be renewed regularly. If you bought one from a third party, you should also make sure that the authoritative configured name server is your own. Take a few precautions when registering your domain to make it more difficult to hijack, including transfer locks and using an account owner email on a different domain.
Protect against domain name phishingseries B+
Some attackers buy domain names that are similar to yours, by dropping letters or using homoglyphs. For instance phishng.com instead of phishing.com. Registering lookalike domain names will help you prevent against this. Also, monitoring Certificate Transparency can help in proactively detecting attacks.
Double down on user privacyseries A
Many successful attacks happen through social engineering. This means that access to your users’ data has to be a big deal to you. Require a user’s explicit consent before allowing support / sales to access their data. This access should also be audited. Good security hygiene here can make social engineering attempts to get into your users’ data harder.
Encourage your users to use 2FA and uplevel your authentication securityseries A
As you get higher profile customers, you will be required to implement stronger security practices. This includes offering them 2FA, role-based account management, SSO, etc. Often times, these features are entry level requirements for more enterprise deals.
Enforce a password policyseed
Your users’ accounts will be much harder to steal if you require them to use strong passwords. Ideally, stick with common strong password policy requirements, to prevent your users from getting frustrated at not remembering some arcane rule.
Monitor your user’s suspicious activitiesseries A
Some users may behave suspiciously within your application, potentially trying to hack into your application, subvert your services, or bother your other customers. By monitoring suspicious users, you will be able to block or flag the illegitimate ones.