> As security professionals, we need to help entrepreneurs and educate developers find a good balance between building a business and building good security practices. This is the goal of this checklist.
No offense, but that’s not an answer to tptacek’s point. I can’t speak for him, but he probably agrees with this point. But that’s a soundbite - everyone would agree with that “we security professionals need to help entrepreneurs help themselves”, etc. The devil is in the details. He is critiquing the checklist’s content, not the checklist.
To make this comment constructive, I’m going to provide a link to what I personally consider very high quality advice for companies, written on the blog of Facebook and Coinbase’s former director of security:
Beyond that, having worked directly with many founders of early stage companies for security, I have to say I disagree that they can’t think about security early on. Resources like the series of articles I’ve linked to show how to navigate that compromise effectively.
No offense, but that’s not an answer to tptacek’s point. I can’t speak for him, but he probably agrees with this point. But that’s a soundbite - everyone would agree with that “we security professionals need to help entrepreneurs help themselves”, etc. The devil is in the details. He is critiquing the checklist’s content, not the checklist.
To make this comment constructive, I’m going to provide a link to what I personally consider very high quality advice for companies, written on the blog of Facebook and Coinbase’s former director of security:
https://medium.com/starting-up-security/starting-up-security...
Beyond that, having worked directly with many founders of early stage companies for security, I have to say I disagree that they can’t think about security early on. Resources like the series of articles I’ve linked to show how to navigate that compromise effectively.