Close the menu
Stay up to date with major changes in the list

Share on

A project by

The SaaS CTO Security Checklist

This is a basic checklist that all SaaS CTOs (and anyone else) can use to harden their security. Security shouldn’t feel like a chore. Select your startup stage and use these rules to improve your security. This list is far from exhaustive, incomplete by nature since the security you need depends on your assets.

Feel free to contribute directly on GitHub!

Company Stage

  • Seed
  • Series A
  • Post-Series A

Your company

Your employees

Your infrastructure

  • Use SSL certificates to secure people using your website

    Seed

    Encrypting communications is not only about privacy, but also about your users’ safety, since it will prevent most attempts at tempering with what they receive.

    Two free popular solutions are:



    You can also choose your own custom certificate (which may allow you to get a beautiful green bar if you pay for the extra “Extended Validation”):

  • Check your website's basic security

    Seed

    Websites are vulnerable to many different classes of vulnerabilities, some may be prevented by the appropriate configuration on the server. Such headers include HSTS, X-Frame-Options, X-Content-Type-Options, etc… some of which will be very valuable for your user’s protection. Static websites may expose your users to less risks.

    Check your website configuration:

  • Isolate assets at the network level

    Seed

    Only your public APIs should be exposed to the Internet. You should isolate your networks to prevent any unauthorized accesses to your database. This will prevent attackers from connecting to it and attempting to crack the password - or exploit vulnerabilities.

    Read more:

  • Keep your OS up to date

    Seed

    You should download all of your OS's security updates and regularly update your machines. For servers, you can delegate it to a PAAS provider (Heroku, AWS Beanstalk, etc…).

  • Backup

    Seed

    Backup all your critical assets. Ensure that you attempt to restore your backups frequently so you can guarantee that they're working as intended. S3 is a very cheap and effective way to backup your assets:

  • Restrict internal services by IP addresses (your company’s ISP, VPNs, etc…)

    Series A

    Everything non-public should only be accessible through a bounce host (e.g. no direct access to databases).

    Read more:

  • Centralize and archive your logs and make them meaningful

    Series A

    Logs are necessary to trace what happened after an incident, find where the attacker came from, and possible even who they are. Many solutions exist to gather your logs. You need to take care about that the system time configured on each of your machines is in sync so that you can easily cross-correlate logs.

    Read more:

  • Protect your application from DDoS attacks

    Series A

    A Distributed Denial-of-Service Attack (DDoS) can have devastating consequences on businesses. Basic DDoS protections can easily by integrated with a CDN such as CloudFlare or CloudFront.

  • Keep a list of your servers

    Series A

    This is built-in if you are using a cloud service and all your machines are registered / spawned through it. Otherwise, you will need to create and maintain a list of your assets (servers, network devices, etc…), and review it regularly to determine if you still need them, keep them up to date, and ensure that they benefit from your latest deployments.

  • Watch for unusual patterns in your metrics

    Series A

    Takeovers will often be used to steal your data or setup your servers to be used as bouncers. These can be detected by watching for unusual patterns in metrics such as network bandwidth, CPU and memory consumption, and disk usage.

  • Know how to redeploy infrastructure from scratch

    Post-Series A

    This allows you to quickly spawn new infrastructure and populate it with data from your backups. This is the perfect use case for disaster recovery.

    Read More:

Your code

  • Enforce a secure code review checklist

    Seed

    Security should always be kept in mind while coding. Pull requests should be performed with security in mind as well. Depending on where the code is, the checks should be different. Dealing with user entry is one thing, dealing with business structures is another: the concerns are related to the context. In addition to common sense, keep in mind the typical security flaws. Security is also a good topic to ask about when interviewing a candidate.

    Read more:

  • Use a Static Security Code Analysis tools

    Seed

    Static code analysis tools can quickly overwhelm you with a lot of meaningless false-positives. But switching on security-focused tools can help you discover vulnerabilities inside your code and most importantly increase the security awareness inside your team. Integrate these tools with your workflow to reduce friction. Post-commit checks that automatically comment where code reviews are performed are ideal.

    Tools:

  • Maintain a backlog of security concerns in your issue tracking tool

    Seed

    Every developer should contribute to maintaining a list of security issues to be fixed in the future. Making them available to the rest of the team will increase the security awareness in the company.

  • Never do cryptography yourself

    Seed

    Always rely on existing mechanisms, libraries and tools. Cryptography is an expertise. Building your implementations, or using flags and options you don't fully understand will expose you to major risks. Libraries such as na.cl expose few options and restrict you to the good choices.

  • Keep secrets away from code

    Seed

    Never commit secrets in your code. They should be handled separately in order to prevent them accidentally being shared or exposed. This allows a clear separation between your environments (typically development, staging and production).

    Read more:

  • Perform security oriented test sessions

    Series A

    Once in a while, the entire technical team should sit together and spend time targeting all parts of the application, looking for vulnerabilities. This is a great time to test for account isolation, token unicity, unauthenticated paths, etc… You will heavily rely on your browser’s web console, curl, and 3rd party tools such as Burp.

    Read more:

  • Use a secure development life cycle

    Post-Series A

    The secure development lifecycle is a process that helps tackle security issues at the beginning of a project. While rarely used as is, it provides good insights at all stages of the project, from the specification to the release. It will allow you to enforce good practices at every stage of the project life.

    Read More:

Your application

  • Run it unprivileged

    Seed

    In case an attacker successfully attacks your application, having it running as a user with restricted privileges will make it harder for the attacker to take over the host and/or to bounce to other services. Privileged users are root on Unix systems, and Administrator or System on Windows systems.

  • Monitor your dependencies

    Seed

    Applications are built using dozens of third party libraries. A single flaw in any of these libraries may put your entire application at risk. Some tools allow you to monitor your dependencies against vulnerabilities:

  • Use a real-time protection service

    Series A

    These tools protect web applications from attacks at runtime. The protection logic is inserted into applications. They protect against all major vulnerabilities (SQL injections, XSS attacks, account takeovers, code injections, etc...) without false positives.

  • Hire an external penetration testing team

    Post-Series A

    These take an external and naive point of view of your infrastructure and products. Pentesters will take nothing for granted and will check even the most basic assumptions, as well as all of your infrastructure. You can also ask them to start with a full, blind discovery of your infrastructure; which can help you remember about old assets.

    Read More:

Your product users

  • Enforce a password policy

    Seed

    Your user accounts will be way harder to steal if you require them to use complex passwords: mixed case, special characters, minimum length...

  • Encourage your users to use 2FA

    Series A

    As you get higher profile customers, you will be required to implement stronger security practices. This includes offering them 2FA, role-based account management…

    Read More:

  • Monitor your user’s suspicious activities

    Series A

    Some users may behave suspiciously, trying to hack into your application, subvert your services or bother your other customers. By monitoring such users, you will be able to block or flag the illegitimate ones.

    Great tools: