The SaaS CTO Security Checklist

Security shouldn’t feel like a chore. This second edition of the SaaS CTO Security Checklist provides actionable security best practices for CTOs or developers. Select your startup stage and use these rules to improve your security!


SaaS CTO Security Checklist, 2nd Edition - Updated & expanded security checklist for startup CTOs ✅ | Product Hunt Embed
your progress
0% complete

Categories

Get the PDF version

Timeline

  • Seed
  • Series A
  • Series B+

Your employees

  • Accustom everyone to good security practices

    seed

    People are often the weakest links in any company’s security. By holding trainings to explain how an attacker could infiltrate your company, you will increase their awareness and thus minimize the chance of them falling for common traps. Some things to cover include phishing emails, and the dangers of USB drives and email attachments.

    Read more:

  • Accustom your team to locking their computers

    seed

    Your office may be secured, but you will eventually have to receive external people for a party or a meeting. Someone with physical access to an employee computer can do a lot of harm in a very short amount of time, so locking all computers is a great habit. If you get in the habit of locking your machine at the office, you’ll be unlikely to forget to also do it in a Starbucks or at a meetup.

    Many organizations make it a game to catch fellow employees’ computers unlocked. This is a good way to reinforce the habit of locking your computer for everyone. At Sqreen, for example, if someone catches another person’s laptop unlocked while they’re AFK, they can type “Cookies!” in that person’s Slack. That person will then have to bring in cookies for the office!

    Read more:

  • Do not share user accounts

    series A

    Sharing a user account makes it hard to understand who is using the service or to identify who has performed a given action. This makes it much harder to recognize when an account has been taken over by an outside party. It also makes it harder to remove access to an account when employees leave the company, opening that account up to potential abuse.

  • Encrypt all employee laptops & phones

    seed

    By encrypting all laptops, you protect both your company’s assets, and your employee’s private files. Encrypting your employee’s phones is the same, and will protect their security in the case of either theft or accidents.

    Read more:

  • Follow an onboarding / offboarding checklist

    seed

    Onboarding and offboarding are important security moments for your employees. You’ll want to ensure that new employees enact the security measures needed and that your company follows the appropriate steps for employees who are leaving.

    Your onboarding checklist should contain a list of all the steps you need to follow when an employee, contractor, or intern joins your company. A similar list can also be used when someone is leaving your team. Ensure that you deprovision all accounts they had access to.

    Read more:

  • Hire your first security engineer

    series B+

    As your company grows, you’ll want to bring in a security expert and centralize your application security responsibilities on them. To determine if it’s the right time to do so, ask yourself the following questions:

    • do we have a security roadmap?
    • do we manage to deliver on it?

    If you don’t, then it’s the time to strategically consider what your security roadmap should look like, and to find out what kind of security engineer you need.

    It’s important to note that you shouldn’t hire a specialized security person too early. Early on, security is something that needs to be baked into your engineering organization rather than immediately offloaded to someone else. Only when your engineering team is fully bought into security but is simply getting overwhelmed should you bring in a specialized security engineer.

    Read more:

  • Monitor your user’s computers

    series B+

    The more employees you have, the bigger the risk of them getting infected by malicious software, such as botnets. Using a HIPS system on employee hardware could help you get ahead of any problems via alerts and notifications.

    Read more:

  • Require 2FA wherever possible

    seed

    Your employees should all use 2-factor authentication. By adding 2FA, you add an extra layer of security. Should your employee’s password get stolen, the attacker would still be locked out unless they have access to the second factor (e.g. phone app or text) as well. As a CTO, your role is to make sure everyone complies with this rule. Phones are the most commonly used device for second factors, and thus have to be secured accordingly (e.g. with codes or biometry). Another option is to use purpose-built hardware-based 2FA, like Yubikeys.

    Read more:

  • Use a password manager to ensure you only use strong passwords

    seed

    Using a complex and unique password for every website is great advice, but it can be very difficult to remember all of them. Rather than reusing passwords or storing your passwords somewhere others could access, use a password manager. Password managers are a great way to manage multiple passwords across sites, since they will remember everything for you with a single master password, and can often generate unique strong passwords for you. Encourage your employees to do likewise, and purchase a business plan to a password manager if necessary.

    Some great password managers are:

  • Use centralized account management

    series A

    Having a centralized place with all user authorizations is the best way not to forget anything once you need to update a user profile (e.g. if an internship came to its end). It is also a great place to define the standard account creation process you need for a given user. If you can, implement SSO to simplify and automate this process.

    Configuring with Google Apps: https://support.google.com/a/answer/6087519

Your code

  • Add security bugs to your incident tracking tool

    seed

    Every developer should contribute to maintaining a list of security issues that need to be fixed in the future. Making them available to the rest of the team will increase security awareness in your company.

    Treat security bugs like any other type of bug – determine their priority based on whether or not they are exploitable and the damage that could be done. Additionally, hold post-mortems for serious security bugs with the team to ensure that everyone gets visibility and learns from them.

  • Automate security within your SDLC

    series B+

    If your security practices impact your development velocity, they will be looked at as more of a burden than a valuable step. The best practices today are to take lessons from DevOps and find ways to bring security closer to developers. Leverage tools that can automate security checks and monitoring. Implementing automated SAST/DAST tools, vulnerability dependency scanning, and others will help you catch the obvious flaws before they get into production. Just beware that you’ll have to sift through false positives and that these tools have limited scope.

    Read more:

  • Enforce a secure code review checklist

    seed

    Security should always be kept in mind while coding. Pull request reviews should be performed with security in mind as well. Depending on where the code is, the checks should be different. Dealing with user entry is one thing, dealing with business structures is another – the concerns are related to the context.

    In addition to common sense, keep in mind typical security flaws. For example, many code snippets from places like StackOverflow have not been written with security in mind. If your team pulls code snippets from the Internet, make sure they double check them for security before deploying them.

    Security competency is also a good topic to ask about when interviewing a candidate.

    Read more:

  • Keep secrets away from code

    seed

    Never commit secrets in your code. They should be handled and stored separately in order to prevent them from accidentally being shared or exposed. This keeps a clear layer of separation between your environments (typically development, staging, and production).

    Read more:

  • Never do cryptography yourself

    seed

    Always rely on existing mechanisms, libraries, and tools. Cryptography is an expertise. Building your own implementations, or using flags and options you don’t fully understand, will expose you to major risks. Libraries such as na.cl (https://nacl.cr.yp.to/) expose only a few options and restrict you to the good choices.

  • Onboard your software engineers with a security training

    series B+

    Secure applications start with secure developers. Your software engineers need to be aware of security best practices in order to write secure code and to perform security-minded code reviews. Since security is usually not something hiring managers consider during recruitment, an initial training at onboarding will help your devs reach a minimum level of security.

    Also, consider checking for security competency during the hiring process. This will help you better shape your training.

    Some good security training options:

  • Perform security-oriented test sessions

    series A

    Once in a while, the entire technical team should sit together and spend time targeting all parts of the application, looking for vulnerabilities. This is a great time to test for account isolation, token unicity, unauthenticated paths, etc… You will heavily rely on your browser’s web console, curl, and 3rd party tools such as Zap (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project).

    The benefit of doing these test sessions yourselves is that your team has the best understanding of your application, and likely where the weak points are. Showing that they can be exploited (or not) is valuable feedback for the team. These sessions complement external pentests quite well.

    Read more:

  • Use a pre-production analysis tool

    seed

    Pre-production analysis tools like static code analysis (SAST) can help identify some of your low-hanging security fruits. They also improve the overall security awareness of your team when the checks are automatically integrated into the code review process. But keep in mind that these tools generate a lot of false positives that can quickly overwhelm you with meaningless alerts. The best practice is to make them part of your process, but not too rely too heavily on them.

    Tools:

  • Use a secure development life cycle

    series B+

    The secure development lifecycle is a process that helps tackle security issues at the beginning of a project. While rarely used as is, it provides good insights at all stages of the project, from the specification to the release. It will allow you to enforce good practices at every stage of the project life.

    Read more:

Your application

  • Automate security once your app is in production

    seed

    Several tools offer ways to automate custom security protection in production. Wherever possible, leverage your business information and logic to automate monitoring and protection of security situations systemic to your particular business. The more you can automate, the easier you’ll be able to scale your security.

    Read more:

  • Don’t forget about your FaaS security

    seed

    If you’re using FaaS in your company, you should ensure that it’s not a weak point for security.

    Make sure:

    • Your code is centralized - either in a FaaS-specific repository or within the applications that the function depends upon
    • Deployment is centralized in the CI. With FaaS abstracting things for you, it can be easy to forget about the different functions!
    • Privileges used by the function are minimalist (and distinct from the privileges used to deploy it)

    On top of that, FaaS should follow all the security criteria that you apply to your applications - from specifications, to development, to operating in production.

    Read more:

  • Hire an external penetration testing team

    series B+

    Pentesters take an external and naive point of view of your infrastructure and products. They will take nothing for granted and will check even the most basic assumptions, as well as all of your infrastructure. The experience can help focus your security efforts and mindset.

    Read more:

  • Keep track of your dependencies

    seed

    Applications are built using dozens of third party libraries. A single flaw in any of these libraries may put your entire application at risk. According to OWASP, one of the most common application security risks is using dependencies with known vulnerabilities. Some tools allow you to check your dependencies for vulnerabilities and ensure that they are up-to-date:

    Read more:

  • Run it unprivileged

    seed

    In the case that an attacker does successfully attack your application, having it running as a user with restricted privileges will make it harder for the attacker to take over the host and/or to bounce to other services. Privileged users are root on Unix systems, and Administrator or System on Windows systems.

  • Use a real-time protection service, like a RASP

    seed

    These days, WAFs are pretty outdated. It’s better to use services that sit closer to your application. These tools protect web applications from attacks at runtime. An Application Security Management (ASM) tool can do for security in your application what APM tools do for performance. They can monitor and protect against all major vulnerabilities (SQL injections, XSS attacks, account takeovers, code injections, etc…) without false positives.

    Read more:

Your infrastructure

  • Backup, test your backups, then backup again

    seed

    Backup all your critical assets. Ensure that you attempt to restore your backups frequently so you can guarantee that they’re working as intended. S3 is a very cheap and effective way to backup your assets.

    Read more:

  • Centralize and archive your logs and make them meaningful

    series A

    Logs are very useful for understanding what happened after an incident occurs, finding where an attacker came from, and possibly even who they are. Many solutions exist to gather and organize logs.

    Don’t forget, you need to take care that the system time configured on each of your machines is in sync so that you can easily cross-correlate logs. You’ll have a much harder time if they’re not (no pun intended).

    Read more:

  • Check your website's basic security

    seed

    Websites are exposed to many different classes of vulnerabilities, and some may be prevented by appropriately configuring the server. Best practices include adding headers such as HSTS, X-Frame-Options, X-Content-Type-Options, etc. Add in a Content Security Policy if possible.

    Read more:

  • Isolate assets at the network level

    seed

    Only your public APIs should be exposed to the Internet. You should isolate your networks to prevent any unauthorized access to your database. This will prevent attackers from connecting to it and attempting to crack the password - or exploit vulnerabilities.

    Read more:

  • Keep your OS & Docker images up to date

    seed

    You should download all of your OS’s and Docker security updates and regularly update your machines and images. If you use a PAAS provider (Heroku, AWS Beanstalk, etc…), they will take care of this for you. If not, you will need to do it yourself. Ideally, automate this process if possible.

    Read more:

  • Know how to redeploy your infrastructure from scratch

    series B+

    Hopefully you never need to, but in the case of a disaster, this allows you to quickly spawn new infrastructure and populate it with data from your backups. This is the perfect use case for disaster recovery.

    Read more:

  • Monitor exposed services

    series A

    Your developers constantly deploy new services. Step one is to ensure that you keep track of them, but you also want to ensure that they don’t expose sensitive services to the outside world, (for instance, a database accessible from the Internet without network filtering). Using a network scanner will help you ensure that no unexpected services are exposed, and will tell you when new services are vulnerable and should be updated.

    Check this cloud friendly tool:

  • Monitor internal services

    series B+

    It’s a fairly common attitude to not focus on the security of your internal services as much as your external services. However, as you get bigger, you will lose visibility on the services used internally. When you start to lose track of internal services, they become a vector through which viruses or worms could spread. Additionally, more people (like contractors) will have access to your internal network. If it’s not secured, this puts it at risk.

    Read more:

  • Use encryption on all your websites and APIs

    seed

    Encrypting communications is not only about privacy, but also about your users’ safety, since it will prevent most attempts at tampering with what they receive.

    A free popular solution is: https://letsencrypt.org/

    Read more:

  • Protect your application from DDoS attacks

    series A

    A Distributed Denial-of-Service Attack (DDoS) can have a real impact on your bottom line and customer experience. Basic DDoS protections can easily be integrated with a CDN, but there are purpose-built DDoS protection tools available as well.

    Read more:

  • Restrict internal services by IP addresses

    series A

    Connections to your infrastructure and non-public properties (hosted CIs, admin interfaces, databases etc.) should only be accessible through a bounce host (in a VPC, behind a bastion host or VPN, etc.).

    Read more:

  • Watch for unusual patterns in your metrics

    series A

    Takeovers will often be used to steal your data or setup your servers to be used as bouncers. These can be detected by watching for unusual patterns in key metrics, such as network bandwidth, CPU and memory consumption, and disk usage.

    Read more:

Your company

Your product users

  • Double down on user privacy

    series A

    Many successful attacks happen through social engineering. This means that access to your users’ data has to be a big deal to you. Require a user’s explicit consent before allowing support / sales to access their data. This access should also be audited. Good security hygiene here can make social engineering attempts to get into your users’ data harder.

    Read more:

  • Encourage your users to use 2FA and uplevel your authentication security

    series A

    As you get higher profile customers, you will be required to implement stronger security practices. This includes offering them 2FA, role-based account management, SSO, etc. Often times, these features are entry level requirements for more enterprise deals.

    Read more:

  • Enforce a password policy

    seed

    Your users’ accounts will be much harder to steal if you require them to use strong passwords. Ideally, stick with common strong password policy requirements, to prevent your users from getting frustrated at not remembering some arcane rule.

    Read more:

  • Monitor your user’s suspicious activities

    series A

    Some users may behave suspiciously within your application, potentially trying to hack into your application, subvert your services, or bother your other customers. By monitoring suspicious users, you will be able to block or flag the illegitimate ones.

    Read more:

Paper plan illustration

Stay in touch!

We're publishing great new resources every week.
Get them straight to your inbox.