How often have you heard that ‘Early stage startups don’t care much about Security because if there is no product, there is nothing to secure?’ Although there is merit in the argument that startups need to build product so as to sustain and grow, it often puts the person in charge of securing them in a tricky position. For most startups, this person is the first Security Engineer who can be somewhere between the 10th to 300th employee. By the time the first Security Engineer is on-boarded the attack surface has usually become quite large and he or she faces an uphill battle to go about securing the organization. In such cases, the Security Engineer needs to perform as a ‘one-man army’ keeping the attackers at bay. In this talk, i will present a playbook on how to perform as one.
In this presentation, i will talk about the Startup Security methodology which has served me very well in starting, building and growing Security teams at various startups. The focus and goals include :-
- DevSecOps – You are in-charge of everything
- Automation is your friend – Alerts significantly better than watching or monitoring a tool
- Secure, Document, Repeat!
- Developer empathy – It is new for them
- Build vs Buy – Maximizing ROI in terms of money and time
- Security Education and Awareness
- IPad signing technique – Risk consumption and buy-in
- Alignment with upper management before you accept the job – Budget, Headcount, Goals, Timeline etc.
I will also recount war stories from experiences including mine from when I was the first AppSec Engineer at Duo Security (acquired by Cisco), was founding engineer at Elevate Security and started the Security team at MileIQ (acquired by Microsoft) and those of my colleagues who have been in similar shoes.