[neochris]

We are building out an OSS startup security program: Prowler as the CPSM, Trufflehog for secrets scanning, for code scanning...I personally think GitHub CodeQL is good enough, but please tell me otherwise. Our security model for our AWS infra definitely relies a lot on having fine-grained ACLs and security groups. The stack is all in AWS CDK and open source (of course, I'm not a fan when OSS security platforms claim to support self-hosted but it's only a docker-compose file). Supply chain attacks. We keep dependencies light and also rely on GitHub's dependency scanner.

I believe you're a fan of Panther? I find that funny because their out-of-the-box detection rules are limited. Once again, a good CSPM and SSO will do a lot more than a SIEM for startup security. Unless you are really telling me we need a 24/7 blue team monitoring our 10-15ish alerts. Oh by the way, we use AWS SSO and org, only role based permissions for everything, fine-grained GitHub SSO for CICD (down to the repo level because we know about that sneaky privesc path when you use *), and isolated SCPs for prod and staging (of course).

You mentioned phishing two technical founders as some real security threat. That might FUD someone with no security experience and don't have FIDO2 or device MFA set up. But turns out, my cofounder and I have both those things!

And because we know what are doing, CloudTrail is set up in a separate OU to avoid log tampering in case of a breach.

[dogman144]

I wouldn’t recommend panther or a SIEM for small startups.

D&R is a bit less important for startups beyond some python scripts piping in the boilerplate alerts via API that gsuite, SSO and cloudtrail generate for you. Prowler is going to buy you a lot of overhead that just enabling GuardDuty and SecHub would do for you quickly and pivot back to revenue ops.

What will get you, and secure infra providers wont do for you, and is a blind spot often with startups who focus all on infrasec (like you mapped out), is enterprise sec, which goes beyond phishing.

- are y’all all still on personal laptops? Personal emails anywhere, those laptops have any sort of EDR on them? Personal phones? What’s your SIM swap plan and setup?

- is a pw manager in place? A corporate account vs individual accs? Are you storing secrets on BYOD, any hanging out in envvars or apple notes?

- phishing: I here you, but devs are often the biggest phishing failure stats. And MFA measures in half of it. The other half is you click, doesn’t push you to a login page, just drops something on your endpoint, and no EDR there to tell you it happened.

- is there someone there telling you not to get social engineered by an annoying hackernews account into listing out large chunks in detail of your security stack, which is very closehold data?

Also - going back through six months of comments to find something about Panther is odd

[neochris]

This all makes a lot of sense. I agree that SOC2 can be security theatre (I mean a lot of the language of the standard is suggestive, not a requirement). But a lot of your points about having MDM and EDR set up is covered by that cert. It's just how you implement it. And we intend to do it well. The cert and the "trust page" is a signal of our security practices, but at least we wouldn't have to go through it over at HN...

Maybe because I did cryptography at a mathematical level in college, I never really bought into the idea of security through obfuscation. Also the empirical evidence behind whether hiding your tech stack makes you more secure as a non-state level actor / software company actually leans towards the side of "it doesn't really matter".

We obviously do a lot more in our infra/corp sec side that I'm not sharing. But really everything I listed are well known best practices that any attacker should assume a relatively non-stupid security-aware startup should have.

I mean I guess I do believe a bit in security through obfuscation. Not sharing our password manager and IdP as many providers haven't had (as you mentioned) great track record in this space.

I do think it might be a difference of where we learned security. I found folks like yourself from your certain gov/military background to buy into security via obfuscation a lot more. I guess we can agree to disagree.

[dogman144]

I don’t buy into security via obfuscation at all, but that meme comes from the context of hoping your infra is too confusing for an attacker to figure out once they find it.

For the context of digging into your sec stack on open-access platforms, ya def obfuscate haha, public review is step 0 in pentests for a reason.

[neochris]

Help us out? I really would like to hear your advice / thoughts / experience in private. Please find me via email (no getting making this public unfortunately)!

[neochris]

I am curious though. Have you ever seen an attack path from a personal device compromise to full Cloud account takeover (or something along those lines like an exfil job or cryptojacking).

I haven't?

Usually compromised personal devices at the startup level comes from a spray-and-pray watering hole campaign. Likely to be used as part of a botnet, where your device is 1 in a million. Nothing really targeted where the end goal is to compromise a seed / series A's crown jewels.

Once again, please share stories if I should be more worried.

[dogman144]

This was how Lastpass was exploited +/- details, lot of write-ups on this.

Devops eng ran a personal unpatched Plex server, threat actor came in via home network/plex, pivoted to personal, devops eng accessed production via the personal.

To your point, this is fairly targeted.

But to your other point, you miss what I’m hammering above - Series A’s Crown Jewels, if it is selling SOAR (or any other sec tool in this direction) are its clients and their sec infra. 90% of the time, Series A can get hacked and who cares really. If you’re selling SOAR, you’re hacked to hack clients. JumpCloud, selling identity, was hacked this way last yr.

Threat actors know about the angle I am describing in this thread wrt to this. Sec and identity infra has been targeted heavily for the last 24 months, specially to pivot into client companies. If you’re selling SOAR, this is what to plan for.

This is also pretty common across crypto.

All in all, depends on your threat model, and if you’re selling security tools, your clients’ threat model becomes your own, bc threat actors know and exploit this now.