Everyone assumes companies have a security team, but every company and every team can operate differently.  So, coming from a large corporation myself, I wasn’t sure what to expect when joining Vivun as their first Application Security Engineer.  With only about 75 employees at the time and a security department of only three people, I knew I was going to have to wear a lot of hats.

I’m now just over one year in, and there have been a lot of lessons learned. Here’s four that have stood out in particular.

Startup speed has pros and cons

Startups move at the speed of light, and security is often seen as a blocker.  Because of this, it can be tough to get buy-in from other departments and the case must be made that security is everyone’s responsibility.

Despite the challenges, there are some advantages to building an AppSec program while small.  There’s very little bureaucracy getting in the way of making changes.  Initiatives can be rolled out quickly without waiting weeks for approvals from multiple departments, and can often be handled in a single call with the key stakeholders involved.

Shifting left requires buy-in and teaching

To facilitate shared responsibility, security must be shifted left in the software development lifecycle.  Catching issues sooner rather than later means the product is built securely, rather than playing catch-up later trying to fix vulnerabilities.  To do this, Vivun’s security team started by working with engineering to integrate security checks into our CI/CD pipelines and GitHub so that scans are performed before they even reach a staging environment.  We also taught engineers how to run these scans locally on their own development machines so they can catch them before even committing.

Cutting-edge tech == cutting-edge threats

Another challenge is that as a startup, we’re using a lot of cutting edge technologies which often means new forms of attack.  We have to keep up with the latest research on new threats and vulnerabilities.  We achieve this by subscribing to several security news feeds in Slack, such as Dark Reading, Krebs on Security, and The Hacker News.  Software composition analysis scans are run daily, and the AppSec team gets alerted when new threats are detected.  We also perform extensive monitoring and alerting so we can be immediately aware of attacks and outages.

Startup or enterprise, AppSec’s goals remain the same

Of course, security’s primary objective is securing and protecting customer data.  In order to gain trust with potential customers, we have regular penetration tests performed by a third party and make the reports available upon request.  In addition, our internal processes and configurations undergo annual review by external auditors, earning us ISO-27001 and SOC-2 certification.

Startup culture is often synonymous with agility and Vivun is no exception.  We have many exciting things coming, such as new features in our products, increased automation, and a Capture-the-Flag event for our engineers, and AppSec gets to work across all of these areas.