Security Assessment Checklist: From Startup to SOC2
A comprehensive security assessment framework for engineering teams. Includes checklists for application security, infrastructure security, compliance requirements, and the path to SOC2 certification.
The Security Wake-Up Call
A prospective enterprise customer asks: "Are you SOC2 compliant?" You're not. Deal dies. Or worse—you discover a security vulnerability after a breach, not before. Customer data exposed. Trust destroyed. Company at risk.
Most startups treat security as "we'll worry about that later." Then "later" arrives in the form of a lost deal, a security audit, or an actual incident. Suddenly you're scrambling to bolt on security to a system designed without it.
You need a pragmatic security framework that balances risk with velocity—protecting your business without grinding development to a halt.
The Complete Security Assessment Framework
Part 1: The Security Maturity Model
Assess your current level, then work toward the next:
Level 0: Reactive (Most startups start here)
Characteristics:
- No security policies
- Passwords shared in Slack
- No 2FA enforced
- Production access = Everyone
- No security training
Risk: High (breach is when, not if)
Level 1: Basic Hygiene (Minimum viable security)
Achieved When:
- All accounts have 2FA
- Password manager required
- Production access restricted
- Basic monitoring in place
- Dependencies scanned
Timeline: 2-4 weeks Cost: under $5K
Level 2: Operational Security (Enterprise-ready basics)
Achieved When:
- SSO implemented
- RBAC (Role-Based Access Control)
- Security logging centralized
- Incident response plan exists
- Quarterly security training
Timeline: 2-3 months Cost: $20-50K
Level 3: Compliance-Ready (SOC2, ISO)
Achieved When:
- Policies documented
- Access reviews quarterly
- Penetration test passed
- Vendor security assessed
- SOC2 audit passed
Timeline: 6-12 months Cost: $50-150K
Level 4: Mature Security Program
Achieved When:
- Dedicated security team
- Continuous monitoring
- Bug bounty program
- Red team exercises
- Security-first culture
Timeline: 18+ months Cost: $200K+ annually
Most SaaS companies need Level 2-3 to sell to enterprises.
Part 2: Application Security Checklist
Authentication & Authorization
Authentication (Who are you?):
- Passwords: Minimum 12 characters, complexity required
- 2FA/MFA: Required for all users
- SSO: Supported (SAML, OAuth)
- Session management: Timeout after 30 min inactivity
- Password resets: Secure token-based
- Brute force protection: Rate limiting on login
Authorization (What can you do?):
- Principle of least privilege enforced
- RBAC implemented (roles: Admin, User, Read-Only)
- Permissions checked on every request
- No client-side permission checks only
- API keys scoped to specific permissions
- Service accounts: Minimal permissions
Test Cases:
Test 1: Try accessing /admin as regular user → Should fail
Test 2: Modify user ID in request → Should not access others' data
Test 3: Expired session → Should redirect to login
Test 4: 10 failed logins → Should lock account
Input Validation & Sanitization
SQL Injection Prevention:
- Use parameterized queries (never string concatenation)
- ORM with prepared statements
- Input validation on all fields
- Whitelist approach (allow known-good, not block known-bad)
XSS (Cross-Site Scripting) Prevention:
- Escape all user input on output
- Content Security Policy headers
- HTTPOnly flags on cookies
- Modern framework (React, Vue auto-escapes)
CSRF (Cross-Site Request Forgery) Prevention:
- CSRF tokens on all state-changing requests
- SameSite cookie attribute
- Check Origin/Referer headers
Command Injection Prevention:
- Never pass user input to shell commands
- Use libraries instead of shell out
- Whitelist commands if unavoidable
Test Tools:
- OWASP ZAP (automated scanner)
- Burp Suite (manual testing)
- SQLMap (SQL injection testing)
Data Protection
Data at Rest:
- Database encryption (TDE or column-level)
- File storage encrypted (AES-256)
- Encryption keys managed separately (KMS, Vault)
- Backups encrypted
- PII identified and encrypted
Data in Transit:
- HTTPS everywhere (TLS 1.2+)
- HSTS headers enforced
- Certificate pinning for mobile apps
- VPN for admin access
- Database connections encrypted
Data Lifecycle:
- Data retention policy defined
- Automated deletion of old data
- GDPR "right to be forgotten" implemented
- Data minimization (don't collect what you don't need)
API Security
API Authentication:
- API keys required
- OAuth 2.0 for user-delegated access
- API keys rotated regularly
- Keys stored in environment vars (not code)
API Rate Limiting:
- Per-user/per-key limits
- Global limits
- 429 status code returned when exceeded
- Exponential backoff suggested
API Versioning:
- Deprecation policy (12-month notice)
- Old versions sunsetted
- Breaking changes = new version
API Documentation:
- Authentication documented
- Rate limits documented
- Error codes documented
- Example requests/responses
Part 3: Infrastructure Security Checklist
Network Security
Firewall & Segmentation:
- Security groups configured (not 0.0.0.0/0)
- Production isolated from dev/staging
- Database not publicly accessible
- Bastion host for admin access
- WAF (Web Application Firewall) for production
DDoS Protection:
- Cloudflare or AWS Shield
- Rate limiting at edge
- Auto-scaling to handle spikes
Monitoring & Alerting:
- Intrusion detection (IDS) enabled
- Suspicious activity alerts
- Failed login attempts tracked
- Unusual API usage detected
Access Management
Privileged Access:
- Production access = need-to-know only
- Root/admin accounts = emergency only
- Audit log of all privileged actions
- Temporary elevated access (expire after 4h)
SSH Keys:
- No password-based SSH
- Individual keys (not shared)
- Keys rotated annually
- Revoked immediately on offboarding
Secrets Management:
- No secrets in code
- Secrets in vault (AWS Secrets Manager, HashiCorp Vault)
- Secrets rotated quarterly
- Environment-specific secrets
Example (Bad vs Good):
Bad:
DATABASE_URL = "postgres://user:password123@db.com/prod"
Good:
DATABASE_URL = os.environ.get("DATABASE_URL")
# Actual secret stored in AWS Secrets Manager
Vulnerability Management
Dependency Scanning:
- Automated scanning (Dependabot, Snyk)
- Pull requests blocked if critical vulns
- Weekly vulnerability review
- Patching SLA: Critical = 7 days, High = 30 days
Container Security (if using Docker/K8s):
- Base images from trusted sources
- Image scanning before deploy
- No root user in containers
- Immutable infrastructure
Patch Management:
- OS patches monthly
- Critical patches within 7 days
- Automated patching for non-prod
- Rollback plan for failed patches
Logging & Monitoring
What to Log:
- Authentication events (login, logout, failed attempts)
- Authorization failures
- Data access (especially PII)
- System errors
- Configuration changes
- Admin actions
Log Requirements:
- Centralized logging (DataDog, Splunk)
- Logs immutable (can't be edited)
- Retention: 1 year minimum
- Real-time alerting on anomalies
- Logs encrypted
Alerts:
Alert: 5 failed logins in 5 minutes
Alert: Database accessed from new IP
Alert: Production config changed
Alert: API 500 errors spike
Part 4: Compliance & SOC2 Preparation
SOC2 Overview
What is SOC2? Third-party audit of your security controls.
Why You Need It:
- Enterprise customers require it
- Competitive advantage
- Reduced security questionnaires
- Insurance discounts
Cost:
- Preparation: $30-80K (tools, consultant)
- Audit: $20-50K annually
- Timeline: 6-12 months
Types:
- Type 1: Controls exist (point in time)
- Type 2: Controls operated effectively (3-12 months)
Trust Service Criteria:
- Security (required)
- Availability (optional)
- Processing Integrity (optional)
- Confidentiality (optional)
- Privacy (optional)
Most companies do: Security + Availability
SOC2 Preparation Checklist
Policies & Procedures (2-3 months):
- Information Security Policy
- Access Control Policy
- Incident Response Plan
- Business Continuity Plan
- Vendor Management Policy
- Change Management Policy
- Acceptable Use Policy
Technical Controls (3-4 months):
- SSO implemented
- MFA enforced
- Logging centralized
- Backups tested
- Encryption at rest + in transit
- Vulnerability scanning automated
- Penetration test completed
Operational Controls (Ongoing):
- Quarterly access reviews
- Annual security training
- Vendor risk assessments
- Background checks for employees
- Asset inventory maintained
- Change request process
Evidence Collection (Continuous):
- Screenshots of controls
- Access review reports
- Training completion records
- Ticket system for changes
- Meeting minutes
Audit Preparation (1-2 months):
- Hire auditor
- Gap assessment
- Remediate findings
- Readiness assessment
- Official audit
- Report issued
DIY vs Consultant
DIY (Save $30-50K):
- Pros: Cheaper, learn deeply
- Cons: 6-12 month distraction, easy to miss things
- When: You have security background, 12+ months timeline
Consultant (e.g., Vanta, Drata, Secureframe):
- Pros: Faster (3-6 months), less risky, automation
- Cons: $20-40K cost
- When: Enterprise deals pending, no security expertise
Hybrid (Recommended):
- Use automated platform (Vanta: $12K/year)
- Hire consultant for gap analysis ($10K)
- DIY policy writing
- Consultant reviews
Part 5: Incident Response Plan
Incident Classification
Severity Levels:
P0 - Critical:
- Data breach (PII exposed)
- System compromise (attacker access)
- Ransomware
- Response: Immediate, all-hands
P1 - High:
- Vulnerability exploited (no data loss yet)
- Unauthorized access attempt
- DDoS attack
- Response: under 1 hour
P2 - Medium:
- Vulnerability discovered (not exploited)
- Phishing attempt
- Suspicious activity
- Response: under 4 hours
P3 - Low:
- Security scan findings
- Policy violations
- Expired certificates
- Response: Next business day
Incident Response Playbook
Step 1: Detect & Report (0-15 min)
- Automated alert or manual report
- Create incident ticket
- Notify security lead or CTO
Step 2: Contain (15-60 min)
- Isolate affected systems
- Revoke compromised credentials
- Block malicious IPs
- Preserve evidence (logs, snapshots)
Step 3: Investigate (1-4 hours)
- Determine scope (what was accessed?)
- Identify attack vector (how did they get in?)
- Assess impact (what data was exposed?)
Step 4: Eradicate (2-8 hours)
- Remove malware/backdoors
- Patch vulnerability
- Reset all credentials
- Rebuild compromised systems
Step 5: Recover (4-24 hours)
- Restore from clean backups
- Verify systems clean
- Resume normal operations
- Monitor for re-infection
Step 6: Post-Incident Review (1-3 days)
- Document timeline
- Identify root cause
- Update runbooks
- Implement preventive measures
Communication Plan:
- Internal: Slack #security-incident
- Customers: Email if data exposed (GDPR: within 72 hours)
- Regulators: Notify if required
- Public: PR statement if major breach
Part 6: Security Tools Stack
Essential Tools by Stage
Startup (under 10 engineers):
- 1Password (password manager): $8/user/month
- GitHub Security Scanning (free)
- Cloudflare (WAF + DDoS): Free tier
- AWS GuardDuty (threat detection): $4/month
- Total: under $200/month
Growth (10-50 engineers):
- Add: Snyk (dependency scanning): $50/month
- Add: Wiz or Orca (cloud security): $500/month
- Add: Datadog Security (logging + monitoring): $500/month
- Add: Vanta (SOC2 automation): $1K/month
- Total: ~$2K/month
Scale (50+ engineers):
- Add: Dedicated security engineer
- Add: CrowdStrike (endpoint protection): $10/endpoint
- Add: Bug bounty program (HackerOne): $20K/year
- Add: Penetration testing: $30K annually
- Total: $150K+/year (incl. headcount)
Tool Categories
Identity & Access:
- Okta, Auth0 (SSO)
- 1Password, LastPass (password management)
- Duo, Yubikey (2FA/MFA)
Vulnerability Management:
- Snyk, Dependabot (dependencies)
- Wiz, Orca, Lacework (cloud security)
- Qualys, Tenable (vulnerability scanning)
Monitoring & Detection:
- Datadog, Splunk (SIEM)
- AWS GuardDuty, Azure Sentinel (threat detection)
- Sentry (error tracking)
Compliance:
- Vanta, Drata, Secureframe (SOC2 automation)
- OneTrust (privacy compliance)
Part 7: Security Training Program
Onboarding Security Training (Day 1)
Topics (30-minute session):
- Password policy (12+ chars, no reuse)
- 2FA setup (required)
- Phishing recognition
- Data handling (PII, encryption)
- Incident reporting process
- Acceptable use policy
Deliverables:
- Sign security policy
- Complete 2FA setup
- Pass phishing quiz (80%+)
Annual Security Training
Topics (60-90 minutes):
- Threat landscape updates
- Recent security incidents (case studies)
- Social engineering tactics
- Secure coding practices
- GDPR/privacy requirements
- Incident response drill
Frequency: Annually (or when SOC2 requires)
Tools:
- KnowBe4 (phishing simulations)
- SANS (training courses)
- Custom internal training
Phishing Simulations
Cadence: Quarterly
Process:
- Send simulated phishing email
- Track who clicks/enters data
- Provide immediate education
- Measure improvement over time
Target: under 5% click rate after 1 year
Templates & Checklists
Pre-Launch Security Checklist
Before launching any product:
Authentication:
- 2FA available
- Password requirements enforced
- Session timeout configured
Data Protection:
- HTTPS only
- Database encrypted
- Backups automated
Vulnerabilities:
- OWASP Top 10 tested
- Dependencies scanned
- Penetration test passed
Compliance:
- Privacy policy published
- Terms of service
- Cookie consent (if EU users)
- GDPR-compliant (if applicable)
Quarterly Security Review
Review Agenda (Every 3 months):
- Access review (remove unnecessary access)
- Vulnerability scan results
- Incident log review
- Policy updates needed?
- Training compliance check
Deliverable: Security scorecard
| Metric | Target | Actual | Status |
|---|---|---|---|
| Vulnerabilities (Critical) | 0 | 2 | 🔴 |
| Patch SLA Compliance | 95% | 92% | 🟡 |
| 2FA Adoption | 100% | 98% | 🟡 |
| Security Training Complete | 100% | 100% | 🟢 |
| Failed Pen Test Items | 0 | 0 | 🟢 |
Success Metrics
Security Maturity:
- Maturity level (0-4): Target Level 2+ for B2B SaaS
- SOC2 certified: Within 12 months of enterprise sales push
Vulnerability Management:
- Critical vulnerabilities open: 0
- High vulnerabilities: under 5
- Patch SLA compliance: over 90%
Incident Response:
- P0 response time: under 15 min
- Security incidents: Decreasing YoY
- Post-incident action items completed: 100%
Training & Culture:
- Security training completion: 100%
- Phishing simulation click rate: under 5%
- Security escalations by engineers: Increasing (good sign)
Remember: Security is not a one-time project—it's an ongoing process. Start with the basics, build incrementally, and make security everyone's responsibility. A breach can destroy years of trust in minutes. Prevention is 100x cheaper than response.