

Ask HN: How do you take care of security risks at your startup? - roshansingh

I work in a startup. We have very limited knowledge of security. The only thing we have done to ensure safety of our infrastructure is to install firewall. We are planning to install openvpn and block ssh on all servers on public interface. We currently use key based ssh.<p>We have idea about XSS and SQL injection, so I think we can handle that.<p>How do you manage security at your startup? What are the best practices?<p>I know that security in itself is very big issue. But till we can hire a security guy, we need something to prevent naive attacks.
======
dsacco
Hey there, my name is Dylan. I work on the Application Security team at
Accuvant LABS. We're one of the largest infosec firms, and we serve tech
companies and the Fortune 500.

If you'd like advice about this, I'd be happy to give you (free) help with
what you need to get started and ensure you're not vulnerable.

I wrote a basic but helpful checklist for startups to follow here:
[http://breakingbits.net/2015/02/28/security-for-
startups/](http://breakingbits.net/2015/02/28/security-for-startups/)

The broad strokes are ensuring your developers understand the most common
security mistakes, how to avoid them in your tech stack and how to follow best
practices in the SDLC to minimize the likelihood and impact of security flaws.

If you'd like any more help, feel free to reach out to me at
dylan@breakingbits.net.

~~~
roshansingh
Thanks I will certainly get in touch with you

------
hawe
Some ideas for a general strategy: * Check TLS/SSL
[https://www.ssllabs.com/ssltest/](https://www.ssllabs.com/ssltest/) * Use
Https, HSTS * Have a security response page if someone found a problem * What
to do if your application was compromised, be prepared for the worst * Check
and update your software regularly * Review changes in your software regularly
if it impacts your overall security strategy * Keep a security checklist in
your codebase * Do your own code audits, just read it again after a few days
and ask the right questions * Remove all credentials from your codebase * Read
about the "new" security headers here:
[https://github.com/twitter/secureheaders](https://github.com/twitter/secureheaders)
* Know what kind of/how many requests your API/web app gets, maybe throttle or
block some

------
BorisMelnik
Some best practices:

1\. keep all software on local machines up to date, and make sure you run
virus scanners. many of today's malware will infect your machine so that it
can do things like grab your Filezilla XML for a larger botnet.

2\. keep all software on remote machines up to date, and use malware scanners.
I can't tell you how many times people get hacked from having outdated
WordPress plugins etc.

3\. if you are small, services like sucuri.net are great for basic malware
scanning and removal.

4\. have some sort of HR policy regarding passwords and security. things like
if someone gets fired, removing their email address and changing their
passwords.

that's what I've got off the top of my head!

~~~
roshansingh
securi looks interesting. thanks

