Skip to content

Security: teyc/ConsultingKit

Security

Security.md

https://www.sqreen.com/checklists/saas-cto-security-checklist#your-code

Employees

  • accustom everyone to good security practices

  • accustom team to locking computers

  • do not share user accounts

  • encrypt laptop and phones

  • follow onboarding and offboarding checklist

  • hire first security engineer

  • monitor user's computer

  • require 2FA

  • use password manager to ensure strong passwords are used

  • use centralized account management

Code

  • add security bugs to incident tracking tool

  • automate security within SDLC

  • enforce a secure review checklist

  • keep secrets away from code

  • never do cryptography yourself

  • onboard your software engineers with security training

  • perform security oriented test sessions

  • use a preproduction analysis tool

  • use a secure development life cycle

Application

  • automate security once your app is in production

  • don't forget about your FaaS security

  • hire an external penteration testing team

  • keep track of your dependencies

  • run it unprivileged

  • use a realtime protection service like RASP

Infrastructure

  • backup, test your backups then backup again

  • centralise and arhcive logs to make them meaningful

  • check your website's basic security

  • isolate assets at the network level

  • keep your OS & Docker images up to date

  • Know how to redeploy your infrastructure from a scratch

  • monitor exposed services

  • monitor internal services

  • use encryption on all your websites and APIS

  • protect your application from DDOS attacks

  • restrict internal services by IP addresses

  • watch for unusual patterns in your metrics

Company

  • be honest and transparent about any data you collect

  • build a security friendly culture

  • create an inventory of your company's assets

  • do not share your wifi network

  • have a public security policy

  • have a security incident response plan

  • have an internal security policy

  • leverage tools to prioritize your security

  • make sure all your critical services are secured

  • prepare your security for scale

  • set up a bug bounty program

  • work with compliance in mind

  • ensure your domain names are protected

  • protect againt domain name phishing

Product

  • double down on user privacy

  • encourage your users to use 2FA and uplevel your authentication security

  • enforce a password policy

  • monitor your user's suspicious activities

There aren’t any published security advisories