WARNING: all this is for self-reference and not really intended for public reading but publishing it anyway.

As a solo builder you need to take care of tech side of things, so here is a minimal-not-so-minimal checklist of things I would want to quickly glance over to ensure some amount of technical robustness in the products I build. I definitely am going overboard in some places.

• This checklist is heavily inspired by the chass seeteaoh swkurity seklisht
• All of this is my personal opinion and you don’t have to agree to it, writing this for myself.
• It’s incomplete and fragile and full of mistakes. Feel free to let me know about it

Seed

Setup

• Prepare different required environments, development, staging, prod. etc.
• Ensure team members are following good security practices in their personal computers. Encryption, use of password manager, 2FA and so on.
• Setup CI/CD when ready to deploy. Have a one line deploy command.

Operations

• Pull request reviews should be performed with security in mind.
• Setting up observability, monitoring, logging, alerting, tracing etc.
• Write templates for things like architecture docs and issues. One time effort, but massive help in organizing things later down the line.

Maintenance

• If it’s a security bug in the codebase/deps, make sure to mention it in the issue tracker and not only in code.
• No secrets in code
• List all dependencies and why you have them, keep track of the dependencies, keep track of any security vulnerability in them.
• Use pre-production analysis, linters, formatters, static code analysis, automated security analysis etc.

Security & Assurance

• Stop thinking you’re jezus crispis, do not roll your own crypto for production code.
• Make sure you’re using the correct OAuth model if you’re using OAuth
• If using 3rd party integrations, make sure scopes are correct.
• On the infra side, run your application as unprivileged as you can.
• Harden the server, DDoS protection, maybe just use cloudflare or something for starters etc.
• Make sure backups are in place. Recovery tested OK.
• Apply sensible measures based on phase of product from the Minimum Viable Secure Product checklist

Series A

• Decide how communications should happen internally and externally

Series B+

• Compliance & Industry certificates
• Security audits
• Code audits
• Prioritize Corporate security > Software security > Network/Platform security
  • Corporate security is the stuff you do to address attacks targeted at your team and the computers and services you use to keep the company running — laptop and endpoint security, Google Apps 2FA, single sign-on, onboarding/offboarding, and that kind of stuff.
  • Software security is vulnerability research conducted on the software you ship. The OWASP Top 10 is a software security artifact. Some people call this “appsec”, though that tends to imply web software security, which is just a subset of software security.
  • Network/platform security is network access control rules, host configuration, to some extent cloud IAM†, and patching.

Other resources

• kuchin/awesome-cto
• EnterpriseReady - Build SaaS Features Enterprises Love

Web Security

• Web Application Security Checklist – AppSec Monkey

API Security

• The API Security Maturity Model | Curity Identity Server
• magoo/ato-checklist: A checklist of practices for organizations dealing with account takeover (ATO)
• GitHub - shieldfy/API-Security-Checklist
• Authentication - OWASP Cheat Sheet Series
• https://github.com/blst-security/cherrybomb
• How to Hack APIs in 2021 by Hakluke and Farah Hawa | Detectify Labs