Security Basics for Early-Stage Startups

Build security in from day one. Retrofitting security is 10x more expensive than starting right.

Minimum Viable Security (Do This Before You Launch)

Authentication

• [ ] Passwords hashed with bcrypt, Argon2, or scrypt (never MD5 or SHA-1)
• [ ] Multi-factor authentication (MFA) available to users; required for admins
• [ ] Password reset flow uses time-limited tokens, not passwords in email
• [ ] Account lockout after failed attempts (5–10 attempts, then temporary lockout)
• [ ] Use an identity provider (Auth0, Cognito, Clerk) rather than rolling your own

Data Protection

• [ ] HTTPS everywhere — no HTTP in production; enforce HSTS
• [ ] Database encrypted at rest (enabled by default on RDS, MongoDB Atlas, etc.)
• [ ] Sensitive fields additionally encrypted at the application layer (passwords, SSNs, PHI)
• [ ] Backups encrypted and tested for restore
• [ ] PII not stored in logs

Access Control

• [ ] Least privilege: employees only have access they need
• [ ] Production database not directly accessible from developer laptops
• [ ] Separate environments: dev / staging / production
• [ ] Environment variables for secrets — never hardcode credentials
• [ ] Secret management: AWS Secrets Manager, HashiCorp Vault, or 1Password Secrets Automation

Infrastructure

• [ ] All traffic over HTTPS/TLS 1.2+
• [ ] Firewall rules restrict inbound traffic to only necessary ports
• [ ] No public SSH access — use bastion hosts or AWS Systems Manager Session Manager
• [ ] S3 buckets not public unless intentionally serving public assets
• [ ] CloudTrail or equivalent logging enabled in AWS/GCP/Azure

Code Security

• [ ] Dependencies scanned for vulnerabilities (Dependabot, Snyk)
• [ ] No secrets in git history (use git-secrets or truffleHog to scan)
• [ ] Code review required for all production changes (no solo deploys)
• [ ] OWASP Top 10 addressed in application design

Internal Security

• [ ] All employees use password manager (1Password, Bitwarden)
• [ ] MFA on all company accounts (email, AWS, GitHub, Slack)
• [ ] Full disk encryption on all company laptops (FileVault / BitLocker)
• [ ] Remote wipe capability on company devices
• [ ] Offboarding checklist: revoke all access within 24 hours

OWASP Top 10 — What Every Developer Must Know

The most common web application vulnerabilities. Address these before launch.

Common Security Mistakes at Early-Stage Startups

Incident Response — One-Page Plan

Write this before you have an incident:

INCIDENT RESPONSE PLAN — [Company Name]

SEVERITY LEVELS
P1 (Critical): Data breach, system compromise, payment fraud
P2 (High): Service outage, unauthorized access, data exposure
P3 (Medium): Attempted intrusion, policy violation
P4 (Low): Suspicious activity, potential vulnerability

FIRST RESPONSE (within 1 hour of P1/P2):
1. Identify: What system/data is affected?
2. Contain: Isolate affected systems (revoke credentials, block IPs, take offline)
3. Notify: [Founder/CTO name] + [Attorney name] + [Cyber insurance carrier]
4. Document: Log everything with timestamps

COMMUNICATION (P1 breach affecting user data):
- External legal counsel: [Name, phone]
- Cyber insurance: [Carrier, policy #, phone]
- Customers: Template in crisis-difficult-templates.md
- GDPR: DPA notification within 72 hours (if EU data)

ESCALATION CONTACTS
[Name] — [Role] — [Phone]
[Name] — [Role] — [Phone]

RECOVERY
- Restore from last known good backup
- Reset all credentials on affected systems
- Conduct post-mortem within 5 days

Security Tools Stack (Startup Budget)