How often have you heard that ‘Early stage startups don’t care much about Security because if there is no product, there is nothing to secure?’ Although there is merit in the argument that startups need to build product to sustain and grow, it often puts the person in charge of securing them in a tricky position. For most startups, this person is the first Security Engineer who can be somewhere between the 10th to 300th employee. By the time the first Security Engineer is on-boarded, the attack surface has usually become quite large and he or she faces an uphill battle to go about securing the organization. In such cases, the Security Engineer needs to perform as a ‘one-person army’ keeping the attackers at bay.
In this session, I will present a playbook on how to perform as one. I will talk about the Startup Security methodology that has served me very well in starting, building and growing Security teams at various startups. The focus and goals include:
- DevSecOps – You are in-charge of everything · Automation is your friend – Alerts significantly better than watching or monitoring a tool
- Secure, Document, Repeat! · Developer empathy – It is new for them
- Build vs Buy – Maximizing ROI in terms of money and time
- Security Education and Awareness · IPad signing technique – Risk consumption and buy-in
- Alignment with upper management before you accept the job – Budget, Headcount, Goals, Timeline etc.
I will also recount war stories from experiences as the first AppSec Engineer at Duo Security (acquired by Cisco), as founding engineer at Elevate Security, and when I started the Security team at MileIQ (acquired by Microsoft), as well as those of my colleagues who have been in similar shoes.