M.13) Protocol software and tools

Category:        Corporate Information Security

Responsible:   CSR, PSR

Effort:              initially 2 hours, periodical updates are low effort

Based on:      BSI IT Grundschutz M 2.500 / M 4.91 / M 4.92


It is good to protocol the software which is installed on employees’ devices and to categorize the tools (categorization can be done like shown on the two websites mentioned in the section below). In this way the employees know:

  • Which kind of tools are used by the company
  • Which employees/roles use which tools

This has the following advantages:

  • Based on this list the CSR can manage software in the startup. He/she can initially screen and also monitor the tools for security related problems and can initiate actions if needed.
  • New employees immediately know what software they can and need to install for an execution of a certain role.
  • The CTO can go through all the tools and compare them with alternatives on websites like https://www.g2crowd.com and https://www.getapp.com. This can help the company to reduce costs or increase productivity.

Special: Software as a Service (SaaS)

Because in the startup scene it is popular to use all different kinds of online software as a service tools, like Dropbox, Trello, Mailchimp, Slack, Salesforce, HubSpot, Google services, etc. it can become difficult to keep an overview which employee has access to which tools. After some time no one knows which employee had access to which tools and services. If an employee leaves the company or a laptop gets stolen, it can get really hard to find and delete all the different user accounts which the employee had and are related to the company. For those reasons it is good to protocol all the different SaaS user accounts which are used by employees.

The author created a protocol template for startups. It is available under the following link: https://leanstartupsecurity.com/wp-content/uploads/2016/09/Documentation_Template.xlsx

Special: Server software and external source code (libraries)

Like explained in M.16 & M.10 it is state of the art to use existing frameworks and libraries for creating new software and services. Because of the risks also this kind of software needs to be monitored for (security) updates, because bugs in libraries can make the own product vulnerable. This task has to be done by the PSR. The following tools can be directly integrated into the development process and help the PSR by executing this safeguard:

https://gemnasium.com, https://www.versioneye.com, https://requires.io, https://libraries.io



The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.