The Early Security Engineer’s First 90 Days Checklist

Second Edition: Expanded and Updated. Being the first security engineer in a startup that already operates for a few months or even years can be quite daunting. This security checklist aims to help security engineers and CISOs in early-stage companies to prioritize their efforts in the first months of their new job. Have feedback? Let us know!

your progress
0% complete

Categories

Get the PDF version

Timeline

  • First week
  • First month
  • First quarter
  • Later

Application security

  • Add a security policy to the website

    First month

    When security researchers discover vulnerabilities in the web services of your company, they will need a way to report them properly to you. By adding a security policy, such as security.txt, to your website, you help them easily get in touch with you about any security issues they uncover. You should mention that you support responsible disclosure, allowing you time to assess and fix the reported vulnerabilities.

    Not having a clear means to communicate security vulnerabilities will either mean that they won’t get reported, or that they will get lost in the shuffle of your company’s generic “contact us” inbox.

    Learn more:

  • Audit your applications

    First month

    Application security is increasingly one of the top security concerns for modern companies. On early audit you’ll need to do is on your applications. You’ll want to gather answers to questions like: Are your applications using vulnerable or outdated dependencies? Are they accessing the database? Are they handling authentication? Do they rely on a framework (Rails, Symfony) or are they using in-house components?

    Learn more:

  • Audit your DNS settings

    First month

    As more and more day-to-day business activities and revenue rely heavily on access and interactions with your website, it is important to audit your DNS as soon as possible and regularly afterward. Without proper security on your DNS, attackers could extract a list of all your assets or steal your domain names, which means they could lead efficient phishing attacks on your customers.

    Learn more:

  • Enforce two-factor authentication

    First quarter

    Everyone at your company should use 2-factor authentication. By adding 2FA, you add an extra layer of security. Should your coworker’s password get stolen, the attacker would still be locked out unless they have access to the second factor (e.g. phone app or text) as well. Phones are the most commonly used device for second factors, and thus have to be secured accordingly (e.g. with codes or biometry). Another option is to use purpose-built hardware-based 2FA, like Yubikeys.

    Learn more:

  • Ensure that your dependencies are secure

    First quarter

    Infuse security into all steps of the product development process and not just at the testing phase. Security-minded developers should check the dependencies in your applications for known bugs and vulnerabilities before using them and keep them updated when zero-days are found or patches are available.

    Learn more:

  • Help engineering and business teams protect sensitive business logics

    Later

    The attacks representing the most significant business risk for organizations are often attacks targeting sensitive business functions of applications rather than common vulnerabilities. Work with business and engineering teams to identify the biggest threats and implement monitoring and protection solutions to automatically remediate these threats.

    Learn more: Use security playbooks to protect your business logic

  • Make sure everything is properly encrypted

    First quarter

    When it comes to cryptography, don’t roll your own. Use accepted standards instead. Encrypt everything, including computers and mobile devices handed out to employees during the onboarding process. Turn on encryption for onsite and cloud backups. Use HTTPS to protect the users of your applications.

    Learn more:

  • Perform a security review of your architecture

    First month

    Review the elements of your architecture and the interfaces between them. Using the list of assets you were given or compiled earlier, you should be able to map the elements, draw the interconnections and identify flaws in communication protocols, servers configurations, and databases choices.

    If you use Sqreen, you can also leverage the security flow map to get a real-time view of your applications and their security status.

    Learn more:

  • Protect your applications in production

    Later

    Doing as much as you can to catch security vulnerabilities pre-production is helpful, but without the full context of runtime, you won’t be able to catch everything. Protecting and monitoring your applications in production, in real time, can greatly improve your security posture. Tools like RASPs and ASM platforms can give you visibility into the security of your production applications and help you stay on top of what’s going on.

    Learn more: Sqreen

  • Retrieve and audit your backups or set up new backups

    First month

    In today’s business world, company data is the most precious asset and backups are therefore crucial. Check the integrity of previous backups and make sure the settings are correct for future backups with sufficient storage space and backup frequency. If there are no backups, set them up immediately.

  • Secure your emails with DMARC

    Later

    Emails are usually a weak spot for attacks, especially via phishing and spoofing. A single email can do serious damage if it hits the wrong person at the wrong time. You can implement DMARC (Domain-based Message Authentication, Reporting and Conformance) to help protect your users from fraudulent emails. DMARC can be the technical support element to the security training you should be holding to help your co-workers spot and avoid dangerous emails.

    Learn more:

  • Structure secrets management

    First quarter

    Secrets, such as private keys, are extremely sensitive data and must not be stored unprotected. They should be securely stored in a vault. Some vaults can manage certificates as well. Secrets committed in an application’s source code should also be tracked down and stored elsewhere.

    Learn more:

  • Think about centralized authentication

    Later

    The benefits of centralized authentication for users is having a single set of credentials for all their applications. From a security standpoint, it enables you to handle only one account and gets rid of the risk of forgetting to disable an account during offboarding. It also saves time during onboarding by getting rid of the need to create lots of accounts for new employees.

    Learn more:

Process

  • Ask questions and take notes during onboarding

    First week

    Regardless of the maturity of the onboarding process at your company, whether formal or informal, seize the opportunity to ask questions and take extensive notes. These will be useful as you get settled into your role. Pay extra attention to anything security-related during onboarding. You can compile your observations in a discovery report for an early win.

  • Automate security as much as possible in the CI pipeline

    First quarter

    If your security practices impact your development velocity, they will be looked at as more of a burden than a value. The best practices today are to take lessons from DevOps and find ways to bring security closer to developers. Leverage tools that can automate security checks and monitoring. Implementing automated SAST/DAST tools, vulnerability dependency scanning, and others will help you catch the obvious flaws before they get into production. Just beware that you’ll have to sift through false positives and that these tools will not be able to identify flaws in your business logic or once your tools are in production.

    Learn more:

  • Automation is key

    Later

    With the amount of tasks required as the first security engineer, you can easily drown under less important tasks, resulting in losing track of serious unresolved vulnerabilities and substantially diminishing your incident response capabilities. Automate as much as possible in order to free up valuable time for tasks that actually require human expertise and deeper analyses. Take advantage of the multiple solutions offered in the market and of computational analytical power.

    Learn more:

  • Be the point of contact to perform security reviews of architecture

    First quarter

    Be available to your engineering team for security reviews of the architecture and update the architecture documentation regularly. You want your engineering team to come to you and work closely with you on the entire gamut of security needs, so be as present and helpful as possible.

    Learn more:

  • Build a process to manage third-party services

    First quarter

    Third-party providers and agencies need to be managed from onboarding to offboarding. This entails a thorough due diligence before and during the relationship as well as frequent risk assessments to keep abreast of the level of access the provider has and the potential vulnerabilities involved. The contract termination step is often overlooked and should be well prepared for during contract drafting, notably in terms of data migration and access removal. A checklist of all the tasks to be performed during onboarding and offboarding should be set up and regularly updated.

    Learn more:

  • Create a flag for security-related tasks

    First month

    If your company has an issue tracking system (such as JIRA), make sure that security-related issues can be identified easily or work with the team managing the system to create a special flag or project. Communicate this new category to your co-workers and clarify how and when to use it. You can also use a dedicated vulnerability management system such as ThreadFix which can be integrated with JIRA.

    This will make addressing and prioritizing security issues much easier for you.

    Learn more:

  • Create a security incident response plan

    First quarter

    Define what constitutes a security incident and design the response plan outlining the necessary tasks and roles. Share the response plan widely and make sure the employees are aware of their roles through regular training and simulation exercises. You don’t want to be in the position of needing to wing it during the crucial time after a breach or major incident.

    Learn more:

  • Determine who was informally in charge of security before you joined

    First week

    Even though it may not have been somebody’s specific role, someone was handling security aspects for the company before you started. Take the time to meet early on with the “security champion,” not only to gather precious information about the current state of things, but also to agree on his/her scope onwards should the person want to stay involved in security tasks. Depending on the company, this person might be the CTO or a security-minded developer.

  • Enforce a process for security code reviews

    First quarter

    Work with your developers to set up a process and a checklist for security code reviews in order to empower them to run manual and automated security code reviews themselves. Be available to answer their questions and be ready to assist if needed.

    Learn more:

  • Enforce the usage of password managers with strong password policies

    First quarter

    With a password manager, your users will only need to remember one master password. All other passwords can be complex and long; the password manager will take care of storing them and retrieving them when needed. The password manager can also generate random strong passwords to be used.

    Learn more:

  • Ensure you are looped in on the SDLC

    First quarter

    You should add some checkpoints to the SDLC so the developer teams will think of the security team when they’re creating and updating applications. Some tools or checklists allow for asking developers a small set of questions when starting a project in order to let the security team know how much attention they should pay here. For instance, “is this service gonna be exposed on the Internet”, or “Is this service handling customer data” are questions that can help you quickly get a sense of how involved you need to be on any particular project.

    Learn more: GoSDL

  • Explore and address the security backlog (if there is one)

    First month

    Oftentimes, even if vulnerabilities have been reported (in JIRA for example), they have not been addressed prior to your arrival because people did not know they had to address them, did not realize that they needed to be fixed immediately, or did not have or allocate the resources to assess and fix the issues. Getting a handle on the backlog of reported security issues and prioritizing fixes is a good place to start after you understand the systems your company has in place.

    Learn more:

  • Fix the most urgent issues

    First month

    Do not be alarmed or overwhelmed by the number of vulnerabilities uncovered during your audits. All of them do not need to be fixed right away; you can draw up a plan to fix them over time. However, do not defer fixing the most critical issues. If you identify a serious vulnerability during one of the audits and security reviews, you should pause and fix the issue immediately. If you can’t fix it, mitigate it.

  • Implement and maintain company security policies and procedures

    Later

    Draft security policies and procedures for the company, and, more importantly, communicate and circulate them. Make sure they are easily accessible and make them understandable for your co-workers. Set up a process to review and update them regularly at a certain frequency or when a specific event occurs.

    Learn more:

  • Include security in the onboarding/offboarding process for employees

    First quarter

    Onboarding and offboarding are important security moments for your company. You’ll want to ensure that new employees enact the security measures needed and that your company follows the appropriate steps for employees who are leaving.

    Your onboarding checklist should contain a list of all the steps you and they need to follow when an employee, contractor, or intern joins your company. A similar list can also be used when someone is leaving. Ensure that you deprovision all accounts they had access to during the offboarding.

    Learn more:

  • List and prioritize your security issues

    First month

    Compile all the issues you uncovered during the general and specific security audits, then prioritize them by risk. Setting up a vulnerability management system will be helpful. If no security issues are in the backlog… there is probably a cultural flag here!

    Learn more:

  • Prepare the groundwork for external security tests

    Later

    Before embarking on independent security assessments and penetration tests, it is good practice to run checks and correct some commonly identified issues (such as missing patches, weak or default passwords used, unsupported operating systems or missing input/output data validation) in order to use the external auditors time and expertise on more subtle issues.

    Learn more:

  • Set up and facilitate a public bug bounty program

    Later

    A bug bounty program will allow external hackers to report vulnerabilities. Most of the bug bounties programs allow you to offer rewards for bugs found. A lot of the reports won’t be valuable and you need security-aware people inside your development teams to evaluate the bugs you receive. These programs are good additions to other security initiatives as it incentivizes people outside your company to share bugs you may have overlooked.

    Learn more:

  • Structure and be the technical resource for your sales team and customers

    Later

    As a security engineer, you might also be the go-to resource for sales teams that require help filling in security forms. Spend some time retrieving and structuring all the previous requests to save time for future questionnaires.

    Learn more:

  • Take time to learn the specifics of your new company

    First week

    Don’t just take your previous experiences at past companies as the go-to model for your new company. While some things will be the same, several aspects will undoubtedly be different, and doing exactly what you’ve done before won’t be as effective. If you’re coming from a more mature company, it’s easy to suffocate an agile startup with heavy security that does not scale well, for example. Security engineers operate inside a business, and understanding that business before enforcing GovAgency-like security measures is key.

  • Understand how product development happens in your company

    First week

    As part of your first week exploration, you need to gather enough information from key stakeholders in order to have a clear understanding of the product development processes (e.g. steps, key milestones, teams involved, governance structure, etc.). These might be catalogued in documentation or through detailed oral explanations that should be written down. Deeply understanding the product development processes and structure of the engineering organization in your company will serve as a basis when you start to introduce security awareness and tasks within the product development lifecycle.

    Learn more Spotify squads Scaling the engineering org at PagerDuty

Monitoring

  • Assess the completeness and accuracy of your company’s assets list

    First month

    As a first step, assess the availability and freshness of your assets information. Is there a list of the hardware? Is there a list of the applications and services used within your company? Is there an employee directory and a list of all user accounts? Is there a list of third-party providers and their contracts? When were these lists last updated?

    The employee directory might be the easiest to retrieve, as your people department should be able to provide up-to-date records with the dates of everyone joining and leaving the company. As for the other lists, you will probably have to build them or update them if they already exist.

  • Audit your SaaS providers

    First month

    Know your SaaS services! Security is a major concern when it comes to SaaS. Examine the settings and SLAs of your SaaS services, whether application, platform, or infrastructure, and compare with what was agreed to in the contracts. Take note of the flaws in the contracts to renegotiate them if needed. SaaS providers might be reluctant to be audited beyond providing documentation of their policies and procedures. Prioritize the audits requests based on the service criticality or the data sensitivity. Ensure they comply with privacy related legislation such as GDPR.

    Learn more:

  • Build a security dashboard

    Later

    Create a security dashboard to give you an overview of the security efforts, or implement a tool that will do it for you. Avoid manual reporting – all data should be automatically provided by the solutions you use.

  • Evaluate your third-party providers

    Later

    Now that you have a list of your third-party providers, and a process in place for evaluating them, you should conduct thorough assessments of your existing third-party providers to make sure they are secure. Renegotiate contracts to strengthen the security responsibilities of your providers and the service levels required.

    Learn more:

  • Perform deeper vulnerability testing, risk analysis and security assessments

    Later

    Once you have a baseline audit of your company’s security across the major areas, you should schedule deeper tests and assessments in all areas (infrastructure, applications, people). These will give you a complete picture and the baseline you need to make strategic security decisions.

  • Perform your first security audit

    First month

    Design and perform your first security audit to understand the most critical security vulnerabilities within your company. This first audit should be broad in scope but not too detailed as other more thorough audits will be performed later for specific areas. Breadth over depth here will give you a high level understanding of where the burning platforms are and what areas need your attention first.

    Learn more:

  • Protect against Denial of Service attacks

    Later

    DoS and DDoS attacks can be devastating for a business’ bottom line. Depending on your business, disruption to the availability of your service could make you lose out on revenue or impact your customers. Taking actions to protect your systems and mitigate the effects of these types of attacks is key.

    Learn more:

  • Set up a centralized logging platform

    First quarter

    Logs are a valuable asset for getting signals from your production environment and for investigating suspicious activity or a security breach. A centralized log platform helps you to make the most out of the analytics potential held in your logs and provides a view across all themes (applications, network, users, etc.)

    Learn more:

  • Update or build the list of applications

    First month

    If you have been handed a list of the applications in use within your company, make sure it is up-to-date. If not, take time immediately to update the information about the major applications first, and schedule some time a bit later to update the rest of the list comprehensively as soon as possible.

    If there is no application list, you should prioritize building it.

    Ask which employees have (or had previously) admin rights to install software themselves on their computer and identify the shadow IT within your company.

    Learn more: Sqreen’s security flow map

  • Update or build the list of devices

    Later

    If you have been handed a list of the devices, make sure it is up-to-date or take time to update the exposed machine’s information first and schedule to update the list thoroughly as soon as possible.

    If the company has a BYOD policy, list those devices as well with the identification of each employee. If there is no device list, you should build it.

    The list should at least include information such as IP, type of device, and physical location, if appropriate.

    Learn more:

  • Update or build the list of services exposed to the Internet

    First month

    If you have been handed a list of the exposed services, make sure it is up-to-date or take time to update the exposed machine’s information first and schedule to update the list thoroughly as soon as possible. One good way to create this list is to use cloud API (AWS to list Route 53 domain names, or EC2 instances).

    Learn more:

  • Update or build the list of third-party providers

    Later

    You will need to know every company or individual that has direct or indirect access to the company’s systems or sensitive data. List or update the list of third-party providers and the contracts data. One critical piece of information is the date of contract renewal or termination and the data they have access to. You will also need to know how the provider’s teams access the systems and which rights are assigned to them.

    Having a clear understanding of the ways third party providers can and do access your systems and data is central to building the appropriate security measures on this front.

Culture

  • Be humble and respectful - Kill the shame game!

    First week

    As a general rule of thumb, adopting a humble and respectful demeanor is a factor of success for every newcomer within an organization. It’s tempting to show off how much you know about security and cyber-splain to everyone how insecure their setup is, if only out of a desire to establish your authority and credentials. But this will backfire on you. Being too hasty and judgmental in pointing out the shortcomings in the company’s security will not earn you the respect of your new colleagues, rather it will drive them away. Take comfort in the fact that if the company deemed there were no issues, you would not have been hired!

  • Build relationships with key stakeholders

    First week

    If it was not included in your onboarding documentation, ask for a list of the key stakeholders in your organization, be they developers, ops, execs, or managers. Your manager might see the importance of accompanying you to introduce you. Arrange together to meet with them and discuss their understanding of security, your role, and their concerns.

  • Don’t create a security awareness program (they don’t work) but…

    Later

    … enable and infuse a security culture

    Don’t make security a one-day annual training everyone has to go through and then forgets about. Permanent and contract employees need to be aware at all times of security threats, beginning with how they set and handle their passwords, use their emails, and secure their laptops and external drives.

    Learn more:

  • Hold security trainings for engineers and non-engineers

    First quarter

    Liaise with your people team or your CTO to set up a targeted security training for all employees, whether they’re engineers or not. The training should not be just a list of instructions, but rather a clear explanation as to why certain rules have to be put in place. You can include technical details if necessary, but make them accessible for all skill levels. The training should be included in the onboarding process.

    Getting buy-in on the security policies you’re implementing will make them much more effective, and a good, empathetic training will help you do that.

    Learn more:

  • Meet with fellow security engineers from similar companies

    First quarter

    The security community is generally a friendly one, and you can learn a lot from other security-minded professionals. As such, if you are not already a member of a professional group in your area, look for security meetups and communities, both online and offline. You could also reach out directly to fellow security engineers, whether in the same business line as you or not, to exchange ideas about your jobs and responsibilities or to discuss how they navigated being one of the first security engineers in their organization, if they were.

    Learn more:

  • Never stop learning!

    Later

    Managing security is an ever-changing landscape, so you need to keep yourself updated on the practices, tools, zero-day vulnerabilities, patches etc. It can seem overwhelming, but there are many websites and newsletters in which you can get regular information.

    Learn more:

Infrastructure security

  • Protect your infrastructure from intrusions

    Later

    Make sure to follow the latest security releases and update your infrastructure as soon as they become available. Having servers without public IP addresses (e.g. in a VPC) and rate limiting authentication services are some of the measures that can be implemented to protect your servers, and consequently your applications.

    Learn more:

  • Start thinking about physical security and hardware protection

    Later

    Attackers can do a lot of damage very quickly if they get physical access to your company’s or employees’ hardware. Assess the risks for your company’s hardware and implement some best practices around physical security protection.

    Learn more:

Trusted by security teams, loved by developers.

Monitoring and protection platform made to be incredibly powerful yet very easy to use.

Want this handbook as a PDF?

Scan the QR-code, or go to:

https://www.sqreen.com/checklists/security-engineer-checklist

Paper plan illustration

Stay in touch!

We're publishing great new resources every week.
Get them straight to your inbox.