[paulb81]

I worked on this checklist and your feedback is very appreciated.

You're right on all your points from a pure security point of view. We should be doing security as soon as possible. Unfortunately, the reality of building a startup is about finding product-market-fit. Entrepreneurs are not incentivized to do security early on. The fear strategy our industry is using for the last XX years has failed.

As security professionals, we need to help entrepreneurs and educate developers find a good balance between building a business and building good security practices. This is the goal of this checklist.

We can't expect developers to spend days implementing security best practices before even having a business.

[dsacco]

> As security professionals, we need to help entrepreneurs and educate developers find a good balance between building a business and building good security practices. This is the goal of this checklist.

No offense, but that’s not an answer to tptacek’s point. I can’t speak for him, but he probably agrees with this point. But that’s a soundbite - everyone would agree with that “we security professionals need to help entrepreneurs help themselves”, etc. The devil is in the details. He is critiquing the checklist’s content, not the checklist.

To make this comment constructive, I’m going to provide a link to what I personally consider very high quality advice for companies, written on the blog of Facebook and Coinbase’s former director of security:

https://medium.com/starting-up-security/starting-up-security...

Beyond that, having worked directly with many founders of early stage companies for security, I have to say I disagree that they can’t think about security early on. Resources like the series of articles I’ve linked to show how to navigate that compromise effectively.

[tptacek]

Everything Ryan McGeehan writes is amazing. All of it belongs with the very best startup security content on HN.

[toomuchtodo]

> We can't expect developers to spend days implementing security best practices before even having a business.

We absolutely can. Otherwise, expect regulation to do it (see: GDPR).

[cookiecaper]

Yeah. At the risk of digging at a raw wound and trivializing a recent tragedy, this is kind of like saying "We can't expect structural engineers to develop a fundamentally-safe construction plan right from the get-go."

If you're going to do something at all, there are some fundamental standards that you just don't risk by putting them off for later. Not saying you have to start out with all the frills, but there is a minimum acceptable standard of safety and competency that can and should be expected of any new work, and things that don't meet such standards should never exist in a form that could potentially be misconstrued as doing so. Reasonable baseline security practices are certainly part of those inviolable professional standards.

[nickpsecurity]

Or see TCSEC that was how the market produced the first, security-focused systems. They were only ones to pass pentesting at the time with designs and implementations still stronger than most software today. Although it had issues, its core lifecycle requirements mostly work and are still used for high-assurance security implementations. Alternatively, the DO-178B standard (now DO-178C) that got more vendors writing well-documented, well-reviewed code that they run through all kinds of static analyzers and testing tools to avoid costly re-certifications. Two examples of regulations that worked so well that they raised the status quo for both security and safety.

People mostly mention bad or questionable regulations when the topic comes up. I figure the good ones deserve mention, too, esp given they worked better than the market. That's probably due to the absence in market of both liability for software failures and most customers' ability to evaluate security claims.

TCSEC Overview https://en.wikipedia.org/wiki/Trusted_Computer_System_Evalua...

Bell Looking Back on TCSEC/TPEP http://lukemuehlhauser.com/wp-content/uploads/Bell-Looking-B...

DO-178B Overview https://en.wikipedia.org/wiki/DO-178B

[irundebian]

OT-fun: You have 27007 karma points. ISO/IEC 27007 is one standard for "information security management systems auditing".

[toomuchtodo]

I’ve wasted so much time on HN, but have enjoyed it very much. Thanks for pointing that out :)