Introduction to Lean Startup Security

Lean Startup Security

Welcome to the Lean Startup Security Guide!

On this first page I will tell you about my motivation and background for creating this website. Afterwards (and this is very important) I will explain who is the indented audience I want to target with the Lean Startup Security Guide.

So you can skip the Background section, but please read the Intended Audience section very carefully, because this guide is not created for every kind and type of company.



Studying Information Management and IT Security at the University of Applied Science in Vienna I wrote my Master Thesis about IT Security in Software Startups. The main research question focused on how young Software Startups deal with IT Security and if they have some kind of a managed Security process. The second part was to find lean processes and methods to increase the Security in small Software Startups. Because conventional standards like the ISO/IEC 270xx and BSI 100-x families, ISO/IEC 22301, ISO/IEC 22301, ISO/IEC 31000 are much too heavy weight for very young companies with less than 10 employees. Nevertheless all those industry standards are the origin for all the measures I will describe on this website.

Due to the fact that I worked for a Startup called Rentog as CTO and Full Stack Developer in parallel, I was able to implement, verify and improve the lean startup security processes and methods.

On the following pages I puplish the results of my work, inluding background information, process steps, a step-by-step method description and ready-to-use templates.


Intended Audience

  • Small Software Startups – There are different IT Security standards available as I’ve already noticed above. The most well known is the ISO/IEC 27001. Companies can let themselfes get certified by such standards. If your company does need such a certification or evidence because of legal aspects or the customers demand it, the methods described on this website are too light weight. You should directly get started by implementing the requested standards. If one of the following use cases describe your needs, you should definitely proceed reading:
    • We are a
      • small Software company and want/need to deal with cyber security threats in a lean but managed way
      • very young Software Startup and want to emphasize on IT Security from the very first day
      • project team within a larger company and work mostly independent from the rest of the company on software projects
    • I’m just a student/programmer and want to write a mobile app or web service and think its important to have an eye on security aspects
  • CTOs and Developers – The Method Description is intended for people who know how to develop Software and to manage servers. I will just cover the processes and principle methods. There won’t be any step-by-step configurations or code snippets (maybe in the blog there will). Those things are too ephemeral. Consider this more like a checklist – you should definitely know how Google 😉
  • CEOs – The CEO should either initiate or approve the emphasis on IT Security. It’s essential the CEO knows how important cyber security measures are. For this reasons also the CEO should read through the pages of this website.



The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.