Grant Taylor

When people ask "I am curious about mainframes, what should I check out?" the answer is always @TerminalTalk and @mastermainframehttps://twitter.com/TerminalTalk/status/1223282285023309826 …

18/ And when you know your stuff is safe, your next challenge is to convince your customers that you can be trusted, even though you’re just a startup. One tip there is to get experienced advisors to join you, validating your security process and vouching for you. Good luck! /end

17/ Make sure your developers can identify and fix the common security vulnerabilities. Then have your app security tested. Have your network pentested. Have your code audited.

16/ Make sure you exactly know who can move money in the company, and make sure they know how modern Business Email Compromise attacks work. These attacks are way more complex than traditional fake billing scams.

15/ Make sure you can change passwords and access rights as needed. It’s especially easy to get burned with shared passwords you use for your corporate social media accounts. Force a password change on public company accounts whenever someone who had access leaves the company.

14/ In the fast-moving environment of a startup, people come and go all the time. Make sure your people do not take their access rights with them. Make sure you can lock people out of your repositories and cloud systems.

13/ Update prompts are annoying, but almost always the reason for the update is security. So update your OS. Update your applications. Update your apps. This seems obvious, but updating can fail for surprising reasons.

12/ This happens often because online backups are deleted or encrypted by the attacker. This is why cloud backup and Time Machine systems alone are not good enough for backup. Have regular off-line backups that will survive even if your office building burns down.

11/ Ransomware continues to be one of the biggest problems we see. Recovering from ransomware attacks would be easy if you’d always have an up-to-date backup of your data. Surprisingly, many companies cannot restore their data when they are attacked.

10/ Do note that Mac users fall for phishing just as easily as Windows users — and iPhone and Android users fall even better, as there are fewer safeguards on those, and detecting a fraudulent lookalike URL is harder on a smaller screen.

9/ When I walk around startup events, everybody seems to be rocking a MacBook. Macs are great for security, but probably not for the reason most people think. As Mac market share hovers only around 10% , criminals keep focusing only on Windows with their attacks.

8/ Make sure everybody has their mobile devices locked by default (Face ID / Touch ID is fine). Make sure your people enable two-factor authentication where possible, with an Authenticator app. And do not force regular password changes on your users for no reason.

6/ Actually, forget that. Just make sure all your developers use a password manager. Also, make sure everybody understands the risks of posting Private API keys to GitHub or pasting AWS Access keys to Pastebin.

5/ …but you need to use the cloud right. The easiest way to screw up with cloud servers or cloud storage is to lose credentials. Make sure your developers use strong, unique passwords on all cloud services.

4/ Most startups today choose to go for cloud services such as AWS, Azure and GCE. Amazon, Microsoft and Google are investing hundreds of millions of dollars into their security. Breaking into the servers that run the largest cloud providers is hard...

3/ Do not invent stuff which has been invented already. There are trusted and tested principals that will save you time and make you safer. Definitely do not develop things such as encryption or hashing algorithms by yourself. Just don’t.

2/ Speed is the enemy of security. The faster you move, the faster you develop, the faster you deploy — the less time you have for bug checking, quality assurance and testing. Security is not something you can add to a ready product, it has to be built in from the design phase.

1/ Practically every startup ends up writing code, even if technology wouldn't be the main focus of the company. Here’s a checklist I made to help you and your hot new startup avoid the most common infosec pitfalls. [thread]