Lean Startup Security Guide

The following measures and safeguards are strongly tailored to the needs, requirements, constraints and resources of the target audience (Internet and software startups in early stages). They cover the most important topics and should provide a solid start. I want to motivate companies to focus on information security from the first day on. Therefore these measures can also be implemented by companies which are operated by only one or two persons. Once the company grows or there is need for more advanced information security handling, the practices described here should be a solid basis for a later implementation of standards like BSI IT Grundschutz or ISO/IEC 27001.

In my opinion it doesn’t make sense to copy or redefine existing and approved information security content. Therefore some measures contain links to further information or to existing standards. Those provide more detailed information on the different kind of threats related to a safeguard and information on how measures can be implemented. Therefore all measures in this guide are kept general and also can be read and understood by non-technicians.

Each of the safe guards is a measure a software/Internet startup should implement (from 1 up to 28). They are chronologically ordered and also prioritized. For assigning responsibilities to persons I have used 2 project roles: The Corporate Security Responsible (CSR) and the Product Security Responsible (PSR). The two roles are described in this blog post.


ID Measure Categories Responsibles
M.1 Security kick-off meeting with founders Organizational, Initial CTO or the person who initiated the security discussion
M.2 Consolidate information security literature Learning, Periodic CSR, PSR
M.3 Split corporate from product security tasks Organizational CSR, PSR
M.4 Inform employees Organizational, Initial, Periodic CTO, CSR, PSR
M.5 Define basic rules (security guidelines for employees) Corporate Security, Initial CSR
M.6 Make sure that the founders and employees are sensitized Periodic, Corporate Security CSR
M.7 Perform automated and manual backups Periodic CSR, PSR, CTO
M.8 Know the OWASP Top 10 Product development, Periodic PSR
M.9 Establish and maintain (security) coding guidelines Product development PSR
M.10 Involve PSR in product development Product development PSR
M.11 Documentation of the (IT) infrastructure and used software Organizational CSR
M.12 Harden employees devices Corporate Information Security, Initial for every employee CSR
M.13 Protocol software and tools Corporate Information Security CSR
M.14 Provide virtual machines / containers Corporate Information Security CSR together with PSR
M.15 Establish information security incident management procedures Corporate Information Security CSR, PSR, CTO
M.16 Use external source code Development, throughout the development lifecycle PSR
M.17 Use monitoring services Product and corporate security CSR
M.18 Find the root cause of problems and errors (5 why’s) Development process CTO
M.19 Use automated (security) regression tests Development process Developers, PSR
M.20 Use infrastructure or platform as a service (IaaS, PaaS) Corporate security CSR
M.21 Use CERT services Corporate security CSR
M.22 Website scanning, monitoring and protection Product security PSR
M.23 Privacy Privacy, Organizational, Operational CTO, Privacy responsible
M.24 Cooperation agreements and employment contracts Organizational CTO
M.25 Continuous deployment Development process CTO
M.26 Penetration testing Corporate and Product Security PSR, CSR
M.27 Use bug bounty programs Product Security PSR, CTO
A.1 Additional 1) Getting to know the BSI Grundschutz catalogues Further security improvement, growth PSR, CSR
A.2 Additional 2) Start with risk management Further security improvement, growth CEO, CTO


The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.