Cloud version. No SSO tax. We're doing a Show HN as we had strong conviction our message would resonate without the "sticky" Launch HN board. Looks like we were right!
We are building out an OSS startup security program: Prowler as the CPSM, Trufflehog for secrets scanning, for code scanning...I personally think GitHub CodeQL is good enough, but please tell me otherwise. Our security model for our AWS infra definitely relies a lot on having fine-grained ACLs and security groups. The stack is all in AWS CDK and open source (of course, I'm not a fan when OSS security platforms claim to support self-hosted but it's only a docker-compose file). Supply chain attacks. We keep dependencies light and also rely on GitHub's dependency scanner.
I believe you're a fan of Panther? I find that funny because their out-of-the-box detection rules are limited. Once again, a good CSPM and SSO will do a lot more than a SIEM for startup security. Unless you are really telling me we need a 24/7 blue team monitoring our 10-15ish alerts. Oh by the way, we use AWS SSO and org, only role based permissions for everything, fine-grained GitHub SSO for CICD (down to the repo level because we know about that sneaky privesc path when you use *), and isolated SCPs for prod and staging (of course).
You mentioned phishing two technical founders as some real security threat. That might FUD someone with no security experience and don't have FIDO2 or device MFA set up. But turns out, my cofounder and I have both those things!
And because we know what are doing, CloudTrail is set up in a separate OU to avoid log tampering in case of a breach.
dogman144|1 year ago
neochris|1 year ago
I believe you're a fan of Panther? I find that funny because their out-of-the-box detection rules are limited. Once again, a good CSPM and SSO will do a lot more than a SIEM for startup security. Unless you are really telling me we need a 24/7 blue team monitoring our 10-15ish alerts. Oh by the way, we use AWS SSO and org, only role based permissions for everything, fine-grained GitHub SSO for CICD (down to the repo level because we know about that sneaky privesc path when you use *), and isolated SCPs for prod and staging (of course).
You mentioned phishing two technical founders as some real security threat. That might FUD someone with no security experience and don't have FIDO2 or device MFA set up. But turns out, my cofounder and I have both those things!
And because we know what are doing, CloudTrail is set up in a separate OU to avoid log tampering in case of a breach.