Security 101 for SaaS startups (github.com)
Original Author here. If you have questions or comments I would love hearing them.

Some of it seems like overkill. Now that Google Cloud Shell is a thing, the correct answer for small teams of people who are not security engineers is usually just "chromebook".

I'm not familiar with it. How many startups that you know actually use it? Was it released only recently?

Also, do you know of startups that use chrome books or toshiba zero client?

Also keep in mind that laptops are used by data scientists and management

> Open an email group and name it seurity@mycompany.com and add a page on your website to report security incidents to this email

You know a company takes security seriously when they have a typo in the word "security".

Typos happen all the time - I was going to suggest that it was a bit of an unfair comment. Then I opened up their website [0] and their strapline is "In fraud prevention Accuracy Matters"...

None the less it is a useful document for those not versed in the basics of opsec and there's likely more value in insightful comments on the content...

[0]:https://www.forter.com

Mmm. I'm sure our marketing would like to know why it feels strange. Would you care to state it even if it feels obvious to you?

accurate ˈakjʊrət/ adjective

1. (especially of information, measurements, or predictions) correct in all details; exact. "accurate information about the illness is essential" synonyms: correct, precise, exact, right, errorless, error-free,

A typo is the antithesis of this.

However, as I mentioned in my previous comment the content is of value and to find fault in the guise of typos is absurd.

Ha ha. That's my typo. I'll fix it. Thanks

Funny thing is I've seen this same typo (security spelled with a missing "c") first hand when reporting a security incident. What made it particularly bad was that it was a mailto:// link that was also spelled wrong so clicking it would send the email to the wrong address with no bounce reply (I'm guessing they had a catch all inbox rather than bouncing bad addresses).

Might want to throw in there a suggestion to generate a security@example.com GPG key and instructions to use it if the submitter feels it warrants it. Also, the usual note of not losing the private half of the GPG key so you don't look like an ass when someone emails you an encrypted security incident that you cannot decrypt!

Thanks. I will

It's on github and you can submit a pull request in not much more time than it took to snark here. (I submitted one for some of the other grammar/spelling issues in the file. [sorry for using the online editor-that authored a poor diff])

