I often get asked, what are some things I should do to improve my security… that’s a huge question that is quite hard to answer. I’ve talked before about threat modeling in previous posts… which means that every company and product is different.

In other words, there is no one size fits all.

However, there are some fundamentals that will take you a long way, especially right in the beginning.

If I were to give generic advice though, here are my top three suggestions based on recent attacks, incidents, and how startups work.

• Strong Authentication

  • 2FA Everywhere (no SMS)

  • Password Managers for everyone (to encourage unique password and good pw hygiene)

  • Ephemeral Keys instead of permanent IAM Keys

  • Good deprovisioning (Go to SSO as soon as you can, even if it's Google SSO)

• Encryption at rest and in-transit everywhere (check your connections and configurations)

• Security training and education for all contractors/employees at onboarding and ongoing if possible. This helps build a security culture from the beginning and as you grow. Having your employees and contractors invested and aware of security while they go about their everyday business will go a long way.

Here are some other more comprehensive security checklists and guides out there:

• https://scrty.io/

• https://s3-eu-west-1.amazonaws.com/sqreen-assets/whitepapers/SaaS+CTO+Security+Checklist.pdf

• https://www.goldfiglabs.com/guide/saas-cto-security-checklist/

Btw, most security professionals hate the word “checklist” because it carries with it a meaning of set it and forget in security. If you’ve been reading this for awhile you’ll know there is no such thing.

Take care,

Ayman