I'm not sure if it's the fact I work in the industry and therefore in a bit of an echo chamber, but almost every other story has a security angle these days - and that can only be a good thing, raising its awareness.<p>Whilst this list isn't perfect, it's certainly a good starting block. Oh, and obviously these suggestions aren't just for start ups! It's nice seeing about the risk of 'insider threats and data leakage' being brought up, seeing as I'm working on a service in these areas.
Security is a huge concern for companies and largely executives who typically aren't as technical. It keeps them up at night, mainly because they can't control it and to a certain extent they don't understand a lot of the technical details and attack surfaces.<p>In January I founded a DevOps and infrastructure consulting startup (shameless plug <a href="https://elasticbyte.net" rel="nofollow">https://elasticbyte.net</a>) and security audits and best practices is one of the top "value" adds of my service. I don't claim to be a crypto expert or DevSec guru, but most of the issues aren't deeply technical problems like what CloudFlare experienced. Usually it just takes rigor and following best practices, firewall rules, don't share keys and passwords, two factor auth, use IAM, use jump hosts, if a server doesn't need public access don't provision a public address. Isolate services and dev and staging environments.
For a more checklist oriented approach you might also find this other list helpful.<p>It is a reminder of all measures you could take, at a higher level, about technical as well as cultural things you need to do about security.<p><a href="https://cto-security-checklist.sqreen.io/" rel="nofollow">https://cto-security-checklist.sqreen.io/</a><p>Full disclosure: I worked on it (feel free to send me feedback)
"Once your sales starts selling to large customers, they would report back on compliance requirements and certifications related to security."<p>And get ready for the questionnaires, each different enough to maximize the time spent on them. The Vendor Security Alliance[0] is attempting to standardize them. Although, I'm not sure how much uptake it's getting. At a minimum, it's a good example of a typical questionnaire.<p>[0] <a href="https://www.vendorsecurityalliance.org/" rel="nofollow">https://www.vendorsecurityalliance.org/</a>
"A third domain is needed for internal use and back office. This domain would probably be registered anonymously, so it would be a little more difficult to find."<p>Um, security through obscurity is not security. And I don't get this? Are we talking Active Directory? It can be a subdomain off your root domain that is only accessible internally.