Security Assessment Checklist: From Startup to SOC2

The Security Wake-Up Call

A prospective enterprise customer asks: "Are you SOC2 compliant?" You're not. Deal dies. Or worse—you discover a security vulnerability after a breach, not before. Customer data exposed. Trust destroyed. Company at risk.

Most startups treat security as "we'll worry about that later." Then "later" arrives in the form of a lost deal, a security audit, or an actual incident. Suddenly you're scrambling to bolt on security to a system designed without it.

You need a pragmatic security framework that balances risk with velocity—protecting your business without grinding development to a halt.

The Complete Security Assessment Framework

Part 1: The Security Maturity Model

Assess your current level, then work toward the next:

Level 0: Reactive (Most startups start here)

Characteristics:

• No security policies
• Passwords shared in Slack
• No 2FA enforced
• Production access = Everyone
• No security training

Risk: High (breach is when, not if)

Level 1: Basic Hygiene (Minimum viable security)

Achieved When:

• [ ] All accounts have 2FA
• [ ] Password manager required
• [ ] Production access restricted
• [ ] Basic monitoring in place
• [ ] Dependencies scanned

Timeline: 2-4 weeks Cost: under $5K

Level 2: Operational Security (Enterprise-ready basics)

Achieved When:

• [ ] SSO implemented
• [ ] RBAC (Role-Based Access Control)
• [ ] Security logging centralized
• [ ] Incident response plan exists
• [ ] Quarterly security training

Timeline: 2-3 months Cost: $20-50K

Level 3: Compliance-Ready (SOC2, ISO)

Achieved When:

• [ ] Policies documented
• [ ] Access reviews quarterly
• [ ] Penetration test passed
• [ ] Vendor security assessed
• [ ] SOC2 audit passed

Timeline: 6-12 months Cost: $50-150K

Level 4: Mature Security Program

Achieved When:

• [ ] Dedicated security team
• [ ] Continuous monitoring
• [ ] Bug bounty program
• [ ] Red team exercises
• [ ] Security-first culture

Timeline: 18+ months Cost: $200K+ annually

Most SaaS companies need Level 2-3 to sell to enterprises.

---

Part 2: Application Security Checklist

Authentication & Authorization

Authentication (Who are you?):

• [ ] Passwords: Minimum 12 characters, complexity required
• [ ] 2FA/MFA: Required for all users
• [ ] SSO: Supported (SAML, OAuth)
• [ ] Session management: Timeout after 30 min inactivity
• [ ] Password resets: Secure token-based
• [ ] Brute force protection: Rate limiting on login

Authorization (What can you do?):

• [ ] Principle of least privilege enforced
• [ ] RBAC implemented (roles: Admin, User, Read-Only)
• [ ] Permissions checked on every request
• [ ] No client-side permission checks only
• [ ] API keys scoped to specific permissions
• [ ] Service accounts: Minimal permissions

Test Cases:

Test 1: Try accessing /admin as regular user → Should fail
Test 2: Modify user ID in request → Should not access others' data
Test 3: Expired session → Should redirect to login
Test 4: 10 failed logins → Should lock account

Input Validation & Sanitization

SQL Injection Prevention:

• [ ] Use parameterized queries (never string concatenation)
• [ ] ORM with prepared statements
• [ ] Input validation on all fields
• [ ] Whitelist approach (allow known-good, not block known-bad)

XSS (Cross-Site Scripting) Prevention:

• [ ] Escape all user input on output
• [ ] Content Security Policy headers
• [ ] HTTPOnly flags on cookies
• [ ] Modern framework (React, Vue auto-escapes)

CSRF (Cross-Site Request Forgery) Prevention:

• [ ] CSRF tokens on all state-changing requests
• [ ] SameSite cookie attribute
• [ ] Check Origin/Referer headers

Command Injection Prevention:

• [ ] Never pass user input to shell commands
• [ ] Use libraries instead of shell out
• [ ] Whitelist commands if unavoidable

Test Tools:

• OWASP ZAP (automated scanner)
• Burp Suite (manual testing)
• SQLMap (SQL injection testing)

Data Protection

Data at Rest:

• [ ] Database encryption (TDE or column-level)
• [ ] File storage encrypted (AES-256)
• [ ] Encryption keys managed separately (KMS, Vault)
• [ ] Backups encrypted
• [ ] PII identified and encrypted

Data in Transit:

• [ ] HTTPS everywhere (TLS 1.2+)
• [ ] HSTS headers enforced
• [ ] Certificate pinning for mobile apps
• [ ] VPN for admin access
• [ ] Database connections encrypted

Data Lifecycle:

• [ ] Data retention policy defined
• [ ] Automated deletion of old data
• [ ] GDPR "right to be forgotten" implemented
• [ ] Data minimization (don't collect what you don't need)

API Security

API Authentication:

• [ ] API keys required
• [ ] OAuth 2.0 for user-delegated access
• [ ] API keys rotated regularly
• [ ] Keys stored in environment vars (not code)

API Rate Limiting:

• [ ] Per-user/per-key limits
• [ ] Global limits
• [ ] 429 status code returned when exceeded
• [ ] Exponential backoff suggested

API Versioning:

• [ ] Deprecation policy (12-month notice)
• [ ] Old versions sunsetted
• [ ] Breaking changes = new version

API Documentation:

• [ ] Authentication documented
• [ ] Rate limits documented
• [ ] Error codes documented
• [ ] Example requests/responses

---

Part 3: Infrastructure Security Checklist

Network Security

Firewall & Segmentation:

• [ ] Security groups configured (not 0.0.0.0/0)
• [ ] Production isolated from dev/staging
• [ ] Database not publicly accessible
• [ ] Bastion host for admin access
• [ ] WAF (Web Application Firewall) for production

DDoS Protection:

• [ ] Cloudflare or AWS Shield
• [ ] Rate limiting at edge
• [ ] Auto-scaling to handle spikes

Monitoring & Alerting:

• [ ] Intrusion detection (IDS) enabled
• [ ] Suspicious activity alerts
• [ ] Failed login attempts tracked
• [ ] Unusual API usage detected

Access Management

Privileged Access:

• [ ] Production access = need-to-know only
• [ ] Root/admin accounts = emergency only
• [ ] Audit log of all privileged actions
• [ ] Temporary elevated access (expire after 4h)

SSH Keys:

• [ ] No password-based SSH
• [ ] Individual keys (not shared)
• [ ] Keys rotated annually
• [ ] Revoked immediately on offboarding

Secrets Management:

• [ ] No secrets in code
• [ ] Secrets in vault (AWS Secrets Manager, HashiCorp Vault)
• [ ] Secrets rotated quarterly
• [ ] Environment-specific secrets

Example (Bad vs Good):

Bad:

DATABASE_URL = "postgres://user:password123@db.com/prod"

Good:

DATABASE_URL = os.environ.get("DATABASE_URL")
# Actual secret stored in AWS Secrets Manager

Vulnerability Management

Dependency Scanning:

• [ ] Automated scanning (Dependabot, Snyk)
• [ ] Pull requests blocked if critical vulns
• [ ] Weekly vulnerability review
• [ ] Patching SLA: Critical = 7 days, High = 30 days

Container Security (if using Docker/K8s):

• [ ] Base images from trusted sources
• [ ] Image scanning before deploy
• [ ] No root user in containers
• [ ] Immutable infrastructure

Patch Management:

• [ ] OS patches monthly
• [ ] Critical patches within 7 days
• [ ] Automated patching for non-prod
• [ ] Rollback plan for failed patches

Logging & Monitoring

What to Log:

• [ ] Authentication events (login, logout, failed attempts)
• [ ] Authorization failures
• [ ] Data access (especially PII)
• [ ] System errors
• [ ] Configuration changes
• [ ] Admin actions

Log Requirements:

• [ ] Centralized logging (DataDog, Splunk)
• [ ] Logs immutable (can't be edited)
• [ ] Retention: 1 year minimum
• [ ] Real-time alerting on anomalies
• [ ] Logs encrypted

Alerts:

Alert: 5 failed logins in 5 minutes
Alert: Database accessed from new IP
Alert: Production config changed
Alert: API 500 errors spike

---

Part 4: Compliance & SOC2 Preparation

SOC2 Overview

What is SOC2? Third-party audit of your security controls.

Why You Need It:

• Enterprise customers require it
• Competitive advantage
• Reduced security questionnaires
• Insurance discounts

Cost:

• Preparation: $30-80K (tools, consultant)
• Audit: $20-50K annually
• Timeline: 6-12 months

Types:

• Type 1: Controls exist (point in time)
• Type 2: Controls operated effectively (3-12 months)

Trust Service Criteria:

1. Security (required)
2. Availability (optional)
3. Processing Integrity (optional)
4. Confidentiality (optional)
5. Privacy (optional)

Most companies do: Security + Availability

SOC2 Preparation Checklist

Policies & Procedures (2-3 months):

• [ ] Information Security Policy
• [ ] Access Control Policy
• [ ] Incident Response Plan
• [ ] Business Continuity Plan
• [ ] Vendor Management Policy
• [ ] Change Management Policy
• [ ] Acceptable Use Policy

Technical Controls (3-4 months):

• [ ] SSO implemented
• [ ] MFA enforced
• [ ] Logging centralized
• [ ] Backups tested
• [ ] Encryption at rest + in transit
• [ ] Vulnerability scanning automated
• [ ] Penetration test completed

Operational Controls (Ongoing):

• [ ] Quarterly access reviews
• [ ] Annual security training
• [ ] Vendor risk assessments
• [ ] Background checks for employees
• [ ] Asset inventory maintained
• [ ] Change request process

Evidence Collection (Continuous):

• [ ] Screenshots of controls
• [ ] Access review reports
• [ ] Training completion records
• [ ] Ticket system for changes
• [ ] Meeting minutes

Audit Preparation (1-2 months):

• [ ] Hire auditor
• [ ] Gap assessment
• [ ] Remediate findings
• [ ] Readiness assessment
• [ ] Official audit
• [ ] Report issued

DIY vs Consultant

DIY (Save $30-50K):

• Pros: Cheaper, learn deeply
• Cons: 6-12 month distraction, easy to miss things
• When: You have security background, 12+ months timeline

Consultant (e.g., Vanta, Drata, Secureframe):

• Pros: Faster (3-6 months), less risky, automation
• Cons: $20-40K cost
• When: Enterprise deals pending, no security expertise

Hybrid (Recommended):

• Use automated platform (Vanta: $12K/year)
• Hire consultant for gap analysis ($10K)
• DIY policy writing
• Consultant reviews

---

Part 5: Incident Response Plan

Incident Classification

Severity Levels:

P0 - Critical:

• Data breach (PII exposed)
• System compromise (attacker access)
• Ransomware
• Response: Immediate, all-hands

P1 - High:

• Vulnerability exploited (no data loss yet)
• Unauthorized access attempt
• DDoS attack
• Response: under 1 hour

P2 - Medium:

• Vulnerability discovered (not exploited)
• Phishing attempt
• Suspicious activity
• Response: under 4 hours

P3 - Low:

• Security scan findings
• Policy violations
• Expired certificates
• Response: Next business day

Incident Response Playbook

Step 1: Detect & Report (0-15 min)

• Automated alert or manual report
• Create incident ticket
• Notify security lead or CTO

Step 2: Contain (15-60 min)

• Isolate affected systems
• Revoke compromised credentials
• Block malicious IPs
• Preserve evidence (logs, snapshots)

Step 3: Investigate (1-4 hours)

• Determine scope (what was accessed?)
• Identify attack vector (how did they get in?)
• Assess impact (what data was exposed?)

Step 4: Eradicate (2-8 hours)

• Remove malware/backdoors
• Patch vulnerability
• Reset all credentials
• Rebuild compromised systems

Step 5: Recover (4-24 hours)

• Restore from clean backups
• Verify systems clean
• Resume normal operations
• Monitor for re-infection

Step 6: Post-Incident Review (1-3 days)

• Document timeline
• Identify root cause
• Update runbooks
• Implement preventive measures

Communication Plan:

• Internal: Slack #security-incident
• Customers: Email if data exposed (GDPR: within 72 hours)
• Regulators: Notify if required
• Public: PR statement if major breach

---

Part 6: Security Tools Stack

Essential Tools by Stage

Startup (under 10 engineers):

• 1Password (password manager): $8/user/month
• GitHub Security Scanning (free)
• Cloudflare (WAF + DDoS): Free tier
• AWS GuardDuty (threat detection): $4/month
• Total: under $200/month

Growth (10-50 engineers):

• Add: Snyk (dependency scanning): $50/month
• Add: Wiz or Orca (cloud security): $500/month
• Add: Datadog Security (logging + monitoring): $500/month
• Add: Vanta (SOC2 automation): $1K/month
• Total: ~$2K/month

Scale (50+ engineers):

• Add: Dedicated security engineer
• Add: CrowdStrike (endpoint protection): $10/endpoint
• Add: Bug bounty program (HackerOne): $20K/year
• Add: Penetration testing: $30K annually
• Total: $150K+/year (incl. headcount)

Tool Categories

Identity & Access:

• Okta, Auth0 (SSO)
• 1Password, LastPass (password management)
• Duo, Yubikey (2FA/MFA)

Vulnerability Management:

• Snyk, Dependabot (dependencies)
• Wiz, Orca, Lacework (cloud security)
• Qualys, Tenable (vulnerability scanning)

Monitoring & Detection:

• Datadog, Splunk (SIEM)
• AWS GuardDuty, Azure Sentinel (threat detection)
• Sentry (error tracking)

Compliance:

• Vanta, Drata, Secureframe (SOC2 automation)
• OneTrust (privacy compliance)

---

Part 7: Security Training Program

Onboarding Security Training (Day 1)

Topics (30-minute session):

• [ ] Password policy (12+ chars, no reuse)
• [ ] 2FA setup (required)
• [ ] Phishing recognition
• [ ] Data handling (PII, encryption)
• [ ] Incident reporting process
• [ ] Acceptable use policy

Deliverables:

• Sign security policy
• Complete 2FA setup
• Pass phishing quiz (80%+)

Annual Security Training

Topics (60-90 minutes):

• Threat landscape updates
• Recent security incidents (case studies)
• Social engineering tactics
• Secure coding practices
• GDPR/privacy requirements
• Incident response drill

Frequency: Annually (or when SOC2 requires)

Tools:

• KnowBe4 (phishing simulations)
• SANS (training courses)
• Custom internal training

Phishing Simulations

Cadence: Quarterly

Process:

1. Send simulated phishing email
2. Track who clicks/enters data
3. Provide immediate education
4. Measure improvement over time

Target: under 5% click rate after 1 year

---

Templates & Checklists

Pre-Launch Security Checklist

Before launching any product:

Authentication:

• [ ] 2FA available
• [ ] Password requirements enforced
• [ ] Session timeout configured

Data Protection:

• [ ] HTTPS only
• [ ] Database encrypted
• [ ] Backups automated

Vulnerabilities:

• [ ] OWASP Top 10 tested
• [ ] Dependencies scanned
• [ ] Penetration test passed

Compliance:

• [ ] Privacy policy published
• [ ] Terms of service
• [ ] Cookie consent (if EU users)
• [ ] GDPR-compliant (if applicable)

Quarterly Security Review

Review Agenda (Every 3 months):

1. Access review (remove unnecessary access)
2. Vulnerability scan results
3. Incident log review
4. Policy updates needed?
5. Training compliance check

Deliverable: Security scorecard

| Metric | Target | Actual | Status | |--------|--------|--------|--------| | Vulnerabilities (Critical) | 0 | 2 | 🔴 | | Patch SLA Compliance | 95% | 92% | 🟡 | | 2FA Adoption | 100% | 98% | 🟡 | | Security Training Complete | 100% | 100% | 🟢 | | Failed Pen Test Items | 0 | 0 | 🟢 |

---

Success Metrics

Security Maturity:

• Maturity level (0-4): Target Level 2+ for B2B SaaS
• SOC2 certified: Within 12 months of enterprise sales push

Vulnerability Management:

• Critical vulnerabilities open: 0
• High vulnerabilities: under 5
• Patch SLA compliance: over 90%

Incident Response:

• P0 response time: under 15 min
• Security incidents: Decreasing YoY
• Post-incident action items completed: 100%

Training & Culture:

• Security training completion: 100%
• Phishing simulation click rate: under 5%
• Security escalations by engineers: Increasing (good sign)

---

Remember: Security is not a one-time project—it's an ongoing process. Start with the basics, build incrementally, and make security everyone's responsibility. A breach can destroy years of trust in minutes. Prevention is 100x cheaper than response.