Startup security starter pack

Inspired by Steve Weis - his version on Google Docs

Start Here

• Starting Up Security: From Scratch: High level principles to inform your program
• Prescriptive The SOC2 Starting Seven, Latacora: Latacora is a consultancy that helps build security programs for startups. While this post is stuctured around SOC2, it contains a set of tactical controls that you should implement early and will provide a solid foundation for your security program.
• Prescriptive Early Security for Startups, Dev: Dev has been down this road, and helped scale security for hypergrowth companies. He goes so far as to call out specific tools and vendors - something we often elide but can be high-leverage if you trust his judgement. You should.
  • Andrew Wansley offers an alternative take on the same topic and structure
• Minimum Viable Secure Product: A "minimalistic security checklist for B2B software and business process outsourcing suppliers"

Read More

• Start with Security: A Guide for Business by the FTC
• BVP: A comprehensive guide to security for startups
• How Early-Stage Startups Can Enlist The Right Amount of Security As They Grow
• Probably Are Gonna Need It: Application Security Edition
• Level Up Your Startup Security
• Startup Security: A Framework From Zero To $100M ARR
• Jamie Finnigan - Startup security
• ZipSec - Building a Culture of Security Consciousness: Getting a Security Program off the Ground as a ‘Department of One’

Reference

• Ryan McGeehan's scrty.io: Enough to get through the first two years of a security program. Structed as both a book and a collection of topical article. I recommend Foundations and Fundamentals, to start.

Scale

These posts are interesting to show where your program can go, but can be elided if you're treading water as the first person responsible for security.

• A Corporate Anthropologist’s Guide to Product Security, Alex Gantman
• Product Security Framework, Julian Cohen
• Building a Product Security program from scratch, Anshuman Bhartiya
• Building a Corporate Security Program From The Ground Up, Kane Narraway

Conference Talks (war stories of starting security):

• Startup security: Starting a security program at a startup, Evan Johnson, Segment + Cloudflare
• Concrete Steps to Create a Security Culture, Arkadiy Tetelman, Lob
• Starting an AppSec Program: An Honest Retrospective, John Melton, Bronto
• 0 to 1: Startup Security, Coleen Coolidge
• One-Person Army – A playbook on how to be the first Security Engineer at a company
• BSidesSF 2023: First Security Hire (Panel)
• BSidesSF 2024: Getting over the finish line: Loom Security Journey
• SANS CloudSecNext 2024: Security Journey at Elastic, Mandy Andress, Elastic