Startup security starter pack

Inspired by Steve Weis - his version on Google Docs

Start Here

Starting Up Security: From Scratch: High level principles to inform your program
Prescriptive The SOC2 Starting Seven, Latacora: Latacora is a consultancy that helps build security programs for startups. While this post is stuctured around SOC2, it contains a set of tactical controls that you should implement early and will provide a solid foundation for your security program.
Prescriptive Early Security for Startups, Dev: Dev has been down this road, and helped scale security for hypergrowth companies. He goes so far as to call out specific tools and vendors - something we often elide but can be high-leverage if you trust his judgement. You should.
- Andrew Wansley offers an alternative take on the same topic and structure

Read More

Reference

Ryan McGeehan's scrty.io: Enough to get through the first two years of a security program. Structed as both a book and a collection of topical article. I recommend Foundations and Fundamentals, to start.

Scale

These posts are interesting to show where your program can go, but can be elided if you're treading water as the first person responsible for security.

A Corporate Anthropologist’s Guide to Product Security, Alex Gantman
Product Security Framework, Julian Cohen
Building a Product Security program from scratch, Anshuman Bhartiya
Building a Corporate Security Program From The Ground Up, Kane Narraway

Conference Talks (war stories of starting security):

Startup security: Starting a security program at a startup, Evan Johnson, Segment + Cloudflare
Concrete Steps to Create a Security Culture, Arkadiy Tetelman, Lob
Starting an AppSec Program: An Honest Retrospective, John Melton, Bronto
0 to 1: Startup Security, Coleen Coolidge
One-Person Army – A playbook on how to be the first Security Engineer at a company