I've been wanting to compile a checklist of basic precautions that could be useful to Internet startups (especially those in the SaaS space) ever since the MongoHQ/Buffer security incident. As evident by that incident, a security breach at a SaaS provider could have catastrophic ripple effects - your customer's customers data could be compromised!

TL;DR: The list basically boils down to using strong unique passwords, enabling multi-factor authentication (MFA) at third party providers and moving as many things as possible behind a virtual private network (VPN).

AWS

Run all your infrastructure (EC2, RDS, ElastiCache etc) within VPC.

  • Most N-tier web architectures should be provisioned entirely within VPC and should not be publicly addressable.

  • Do not enable or use the root Access Key, instead use IAM and follow the best practices.

  • Enable multi-factor authentication on the root and all IAM accounts with AWS console access.

Google Apps

A breach of an administrator account could allow an attacker to reset passwords and wreak havoc.

GitHub

Access to your codebase could allow an attacker to gain insights on how to target attacks on your application.

  • Ask every team member to enable 2FA.

  • Audit user access; only assign users to repositories they need access to.

Domain Registrar

A breach at your domain registrar account could allow an attacker to hijack your domain name or DNS.

Internal Tools

This includes all employee/customer support tools, continuous integration, staging/demo environments etc. All of these should be placed behind a VPN. OpenVPN is fairly easy to setup.

  • Use RBAC for admin/backoffice tools. Only give people the permissions they need to perform their job functions.

  • Maintain an audit/activity log of actions taken by admin accounts.

  • Enforce strong password requirements for these applications and implement multi-factor authentication where feasible.

  • Employees that need VPN access should get their own unique set of credentials.

Your Application

Learn some basic web security.

  • Don't put in version control anything that's meant to be secret: passwords, API keys etc.

  • Use bcrypt to hash user passwords.

  • Encrypt any user supplied OAuth tokens, API keys etc.

  • Audit your external code dependencies; be mindful of the fact a lot of RubyGems, NPM packages etc aren't written with YOUR security needs in mind.

Third Party Application Services

Make sure sensitive information is being scrubbed before being sent from your application to third party tools such as the following:

  • Application monitoring services - New Relic, Librato, Datadog etc.

  • Application logging services - Loggly, Papertrail, Logentries etc.

  • Error monitoring services - Airbrake, Bugsnag, Honeybadger etc.


As your startup grows, so too will your security requirements.