Lord of all things technical checklist
building infrastructure
Published: 2022-08-13

WARNING: all this is for self-reference and not really intended for public reading but publishing it anyway.

As a solo builder you need to take care of tech side of things, so here is a minimal-not-so-minimal checklist of things I would want to quickly glance over to ensure some amount of technical robustness in the products I build. I definitely am going overboard in some places.

  • This checklist is heavily inspired by the chass seeteaoh swkurity seklisht
  • All of this is my personal opinion and you don’t have to agree to it, writing this for myself.
  • It’s incomplete and fragile and full of mistakes. Feel free to let me know about it



  • Prepare different required environments, development, staging, prod. etc.
  • Ensure team members are following good security practices in their personal computers. Encryption, use of password manager, 2FA and so on.
  • Setup CI/CD when ready to deploy. Have a one line deploy command.


  • Pull request reviews should be performed with security in mind.
  • Setting up observability, monitoring, logging, alerting, tracing etc.
  • Write templates for things like architecture docs and issues. One time effort, but massive help in organizing things later down the line.


  • If it’s a security bug in the codebase/deps, make sure to mention it in the issue tracker and not only in code.
  • No secrets in code
  • List all dependencies and why you have them, keep track of the dependencies, keep track of any security vulnerability in them.
  • Use pre-production analysis, linters, formatters, static code analysis, automated security analysis etc.

Security & Assurance

  • Stop thinking you’re jezus crispis, do not roll your own crypto for production code.
  • Make sure you’re using the correct OAuth model if you’re using OAuth
  • If using 3rd party integrations, make sure scopes are correct.
  • On the infra side, run your application as unprivileged as you can.
  • Harden the server, DDoS protection, maybe just use cloudflare or something for starters etc.
  • Make sure backups are in place. Recovery tested OK.
  • Apply sensible measures based on phase of product from the Minimum Viable Secure Product checklist

Series A

  • Decide how communications should happen internally and externally

Series B+

  • Compliance & Industry certificates
  • Security audits
  • Code audits
  • Prioritize Corporate security > Software security > Network/Platform security
    • Corporate security is the stuff you do to address attacks targeted at your team and the computers and services you use to keep the company running — laptop and endpoint security, Google Apps 2FA, single sign-on, onboarding/offboarding, and that kind of stuff.
    • Software security is vulnerability research conducted on the software you ship. The OWASP Top 10 is a software security artifact. Some people call this “appsec”, though that tends to imply web software security, which is just a subset of software security.
    • Network/platform security is network access control rules, host configuration, to some extent cloud IAM†, and patching.

Other resources

Web Security

API Security