I work in a startup. We have very limited knowledge of security. The only thing we have done to ensure safety of our infrastructure is to install firewall. We are planning to install openvpn and block ssh on all servers on public interface. We currently use key based ssh.<p>We have idea about XSS and SQL injection, so I think we can handle that.<p>How do you manage security at your startup? What are the best practices?<p>I know that security in itself is very big issue. But till we can hire a security guy, we need something to prevent naive attacks.
Hey there, my name is Dylan. I work on the Application Security team at Accuvant LABS. We're one of the largest infosec firms, and we serve tech companies and the Fortune 500.<p>If you'd like advice about this, I'd be happy to give you (free) help with what you need to get started and ensure you're not vulnerable.<p>I wrote a basic but helpful checklist for startups to follow here: <a href="http://breakingbits.net/2015/02/28/security-for-startups/" rel="nofollow">http://breakingbits.net/2015/02/28/security-for-startups/</a><p>The broad strokes are ensuring your developers understand the most common security mistakes, how to avoid them in your tech stack and how to follow best practices in the SDLC to minimize the likelihood and impact of security flaws.<p>If you'd like any more help, feel free to reach out to me at dylan@breakingbits.net.
Some ideas for a general strategy:
* Check TLS/SSL <a href="https://www.ssllabs.com/ssltest/" rel="nofollow">https://www.ssllabs.com/ssltest/</a>
* Use Https, HSTS
* Have a security response page if someone found a problem
* What to do if your application was compromised, be prepared for the worst
* Check and update your software regularly
* Review changes in your software regularly if it impacts your overall security strategy
* Keep a security checklist in your codebase
* Do your own code audits, just read it again after a few days and ask the right questions
* Remove all credentials from your codebase
* Read about the "new" security headers here: <a href="https://github.com/twitter/secureheaders" rel="nofollow">https://github.com/twitter/secureheaders</a>
* Know what kind of/how many requests your API/web app gets, maybe throttle or block some
Some best practices:<p>1. keep all software on local machines up to date, and make sure you run virus scanners. many of today's malware will infect your machine so that it can do things like grab your Filezilla XML for a larger botnet.<p>2. keep all software on remote machines up to date, and use malware scanners. I can't tell you how many times people get hacked from having outdated WordPress plugins etc.<p>3. if you are small, services like sucuri.net are great for basic malware scanning and removal.<p>4. have some sort of HR policy regarding passwords and security. things like if someone gets fired, removing their email address and changing their passwords.<p>that's what I've got off the top of my head!