The SaaS CTO Security Checklist
 Share
 
View only
 
 
Still loading...
ABCDEFGHIJKLMNOPQRSTUVWXY
1
2
AreaCompany StageTipDescriptionRead More
3
CompanySeedEnsure your domain names are securedDomain names should be renewed regularly. If you have bought one from a third party, you should also make sure that the authoritative configured name server is your own.http://www.esecurityplanet.com/views/article.php/3928456/8-Tips-for-Protecting-Your-Domain-Names.htm
4
CompanySeedBe honest and transparent about any data you collectIn the case of a breach, the attackers may disclose any data they gather. Your customers need to be aware of what data you're storing.https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust
5
CompanySeedMake sure all your critical services are securedMany companies rely on Google Apps, Slack, Wordpress… These services all have defaults that should be improved to increase the security level. All of these services should be kept up to date.https://blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/https://codex.wordpress.org/Hardening_WordPress
6
CompanySeedDo not share WiFiSharing WiFi networks with guests or neighbors may give them the opportunity to gather information on your network, and allow them to access resources protected by source IP. Use an isolated and dedicated guest WiFi network. Set up a calendar reminder to change the password every two months, since this password is shared.
7
CompanySeries ATake special care of your non-tech employeesNon-tech employees are less used to technical trickery and can be deceived more easily than others, opening the door to ransomware or confidentiality issues. They should be trained and empowered to be distrustful and to preserve the company’s assets.http://www.zdnet.com/pictures/hacked-the-six-most-common-ways-non-tech-people-fall-victim
8
CompanySeries AHave a public security policyThis is a page on your corporate website describing how you plan to respond to external bug reports. You should advertise that you support responsible disclosure. Keep in mind that most of the reports that you receive probably won't be relevant.https://www.airbnb.com/securityhttps://www.apple.com/support/security/
9
CompanyPost-Series AHave an internal security policyThis is a short document stating the security requirements in your company and defining who is responsible and who is concerned with all aspects of security.https://www.sans.org/reading-room/whitepapers/policyissues/creating-information-systems-security-policy-534
10
CompanyPost-Series ASet up a bug bounty programA bug bounty program will allow external hackers to report vulnerabilities. Most of the bug bounties program allow you to offer rewards for bugs found. You need security aware people inside your development teams to evaluate any reports you receive.https://bountyfactory.io/https://hackerone.com/https://cobalt.io
11
CompanyPost-Series AMake an inventory of your company’s assetsAn awareness of your company’s assets enables you to monitor the points that need the most attention and vulnerabilities that need to be hardened.http://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
12
CompanyPost-Series AHave a security incident response planThis will allow whoever is in charge at the time of a breach to communicate accordingly about an incident and will allow the fastest response in technical / communication terms.https://zeltser.com/security-incident-response-program-tips/
13
CompanySeedAccustom everyone to security practicesHumans are often the weakest links in the chain of security. By explaining how an attacker could infiltrate your company, you will increase your employees’ awareness and thus minimize the chance of them falling for such a trap.http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Ten-Recommendations-for-Security-Awareness-Programs.html
14
CompanySeedRequire 2FA in your servicesYour employees should all use 2-factor authentication on all services you use. If their password is stolen, the attacker cannot use it without the second factor.https://en.wikipedia.org/wiki/Multi-factor_authenticationhttps://support.google.com/a/answer/184711https://get.slack.help/hc/en-us/articles/212221668-Require-two-factor-authentication-for-your-team
15
CompanySeedEncrypt all employee laptops & phonesBy encrypting all laptops, you protect both your company’s assets, and your employees’ private files.https://support.apple.com/en-us/HT204837https://wiki.archlinux.org/index.php/Dm-crypthttps://support.microsoft.com/en-us/instantanswers/e7d75dd2-29c2-16ac-f03d-20cfdf54202f/turn-on-device-encryption
16
CompanySeedAccustom your team to locking their machines while awayYour office may be secured, but you will eventually have to receive external people for a party or a meeting. Locking all the machines is a great habit. If you get in the habit of locking your machine at the office, you’ll be unlikely to forget to also do it in a Starbucks or at a meetup.https://www.cnet.com/how-to/7-ways-to-lock-your-macbook
17
CompanySeedUse a password manager to ensure you only use strong passwordsUsing a complex and unique password for every website is great advice, but it can be very difficult to remember all of them. Password managers are a great way to manage these, since they will remember everything for you with a master password.https://www.dashlane.comhttps://lastpass.comhttps://support.apple.com/en-us/HT204085
18
CompanySeedFollow an onboarding / offboarding checklistThis checklist should contain a list of all the steps you need to enforce when an employee, contractor, intern, etc., joins your company. A similar list should also be used when the someone is leaving your team to ensure that they no longer have access to any of your company’s resources.https://about.gitlab.com/handbook/general-onboarding/https://about.gitlab.com/handbook/offboarding/
19
CompanySeries ADo not share accountsSharing a user account makes it hard to understand who is using the service or to identify who has performed a given action.
20
CompanySeries AUse centralized account managementA centralized place with all user authorizations is the best way not to forget anything once you need to update a user profile (e.g. if an internship came to its end). It is also great place to define standard account creation you need for a given user.https://support.google.com/a/answer/6087519
21
InfrastructureSeedUse SSL certificates to secure people using your websiteEncrypting communications is not only about privacy, but also about your users’ safety, since it will prevent most attempts at tempering with what they receive.https://letsencrypt.org/https://www.cloudflare.com/ssl/
22
InfrastructureSeedCheck your website’s basic securityWebsites are vulnerable to many different classes of vulnerabilities, some may be prevented by the appropriate configuration on the server. Static websites may expose your users to less risks.https://myheaders.sqreen.iohttps://securityheaders.iohttps://www.ssllabs.com/
23
InfrastructureSeedIsolate assets at the network levelOnly your public APIs should be exposed to the Internet. You should isolate your networks to prevent any unauthorized accesses to your database. This will prevent attackers from connecting to it and attempting to crack the password, or exploit vulnerabilities.http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html
24
InfrastructureSeedKeep your OS up to dateYou should download all of your OS’s security updates and regularly update your machines. For servers, you can delegate it to a PaaS provider (Heroku, AWS Beanstalk, etc.).https://appcanary.com/
25
InfrastructureSeedBackup, then backup againBackup all your critical assets. Ensure that you attempt to restore your backups frequently so you can guarantee that they're working as intended. S3 is a very cheap and effective way to backup your assets:https://aws.amazon.com/getting-started/backup-files-to-amazon-s3/
26
InfrastructureSeries ARestrict internal services by IP addresses (your company’s ISP, VPNs, etc.)Everything non-public should only be accessible through a bounce host (e.g. no direct access to databases).https://aws.amazon.com/fr/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/
27
InfrastructureSeries ACentralize and archive your logs and make them meaningfulLogs are necessary to trace what happened after an incident, find where the attacker came from, and possible even who they are. Many solutions exist to gather your logs. You need to take care about that the system time configured on each of your machines is in sync so that you can easily cross-correlate logs.https://en.wikipedia.org/wiki/Network_Time_Protocolhttps://www.elastic.co/products
28
InfrastructureSeries AProtect your application from DDoS attacksA Distributed Denial-of-Service Attack (DDoS) can have devastating consequences on businesses. Basic DDoS protections can easily by integrated with a CDN such as CloudFlare or CloudFront.
29
InfrastructureSeries AKeep a list of your serversThis is built-in if you are using a cloud service and all your machines are registered or spawned through it. Otherwise, you will need to create and maintain a list of your assets (servers, network devices, etc.), and review it regularly to determine if you still need them, keep them up to date, and ensure that they benefit from your latest deployments.
30
InfrastructureSeries AWatch for unusual patterns in your metricsTakeovers will often be used to steal your data or setup your servers to be used as bouncers. These can be detected by watching for unusual patterns in metrics such as network bandwidth, CPU and memory consumption, and disk usage.https://newrelic.com/server-monitoringhttps://www.sysdig.com/
31
InfrastructurePost-Series AKnow how to redeploy infrastructure from scratchThis allows you to quickly spawn new infrastructure and populate it with data from your backups. This is the perfect use case for disaster recovery.https://aws.amazon.com/cloudformation/https://cloud.google.com/deployment-manager/
32
CodeSeedEnforce a secure code review checklistSecurity should always be kept in mind while coding. Pull requests should be performed with security in mind as well. Depending on where the code is, the checks should be different. Dealing with user entry is one thing, dealing with business structures is another: the concerns are related to the context. In addition to common sense, keep in mind the typical security flaws. Security is also a good topic to ask about when interviewing a candidate.https://www.owasp.org/index.php/Top_10_2013-Top_10
33
CodeSeedUse a static security code analysis toolStatic code analysis tools can quickly overwhelm you with a lot of meaningless false-positives. But switching on security-focused tools can help you discover vulnerabilities inside your code and most importantly increase the security awareness inside your team. Integrate these tools with your workflow to reduce friction. Post-commit checks that automatically comment where code reviews are performed are ideal.https://www.codacy.com/https://www.owasp.org/index.php/Source_Code_Analysis_Tools
34
CodeSeedMaintain a backlog of security concerns in your issue tracking toolEvery developer should contribute to maintaining a list of security issues to be fixed in the future. Making them available to the rest of the team will increase the security awareness in the company.
35
CodeSeedNever do cryptography yourselfAlways rely on existing mechanisms, libraries and tools. Cryptography is an expertise. Building your implementations, or using flags and options you don't fully understand will expose you to major risks. Libraries such as na.cl expose few options and restrict you to the good choices.https://nacl.cr.yp.to/
36
CodeSeedKeep secrets away from codeNever commit secrets in your code. They should be handled separately in order to prevent them accidentally being shared or exposed. This allows a clear separation between your environments (typically development, staging and production).https://12factor.net/
37
CodeSeries APerform security oriented test sessionsOnce in a while, the entire technical team should sit together and spend time targeting all parts of the application, looking for vulnerabilities. This is a great time to test for account isolation, token unicity, unauthenticated paths, etc. You will heavily rely on your browser’s web console, curl, and 3rd party tools such as Burp.https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
38
CodePost-Series AUse a secure development life cycleThe secure development lifecycle is a process that helps tackle security issues at the beginning of a project. While rarely used as is, it provides good insights at all stages of the project, from the specification to the release. It will allow you to enforce good practices at every stage of the project life.https://en.wikipedia.org/wiki/Systems_development_life_cycle
39
ApplicationSeedRun it unprivilegedIn case an attacker successfully attacks your application, having it running as a user with restricted privileges will make it harder for the attacker to take over the host and/or to bounce to other services. Privileged users are root on Unix systems, and Administrator or System on Windows systems.
40
ApplicationSeedMonitor your dependenciesApplications are built using dozens of third party libraries. A single flaw in any of these libraries may put your entire application at risk. Some tools allow you to monitor your dependencies against vulnerabilities:https://www.sqreen.io/https://appcanary.com/https://snyk.io/https://gemnasium.com/
41
ApplicationSeries AUse a real-time protection serviceThese tools protect web applications from attacks at runtime. The protection logic is inserted into applications. They protect against all major vulnerabilities (SQL injections, XSS attacks, account takeovers, code injections, etc.) without false positives.https://www.sqreen.io/http://www8.hp.com/us/en/software-solutions/appdefender-application-self-protection/
42
ApplicationPost-Series AHire an external penetration testing teamThese take an external and naive point of view of your infrastructure and products. Pentesters will take nothing for granted and will check even the most basic assumptions, as well as all of your infrastructure. You can also ask them to start with a full, blind discovery of your infrastructure, which can help you remember about old assets.http://www.zdnet.com/article/10-things-you-need-to-know-before-hiring-penetration-testers/
43
Product UsersSeedEnforce a password policyYour user accounts will be much harder to steal if you require them to use complex passwords: mixed case, special characters, minimum length, etc.
44
Product UsersSeries AEncourage your users to use 2FAAs you get higher profile customers, you will be required to implement stronger security practices. This includes offering them 2-factor authentication, role-based account management, etc.https://auth0.com/https://stormpath.com/
45
Product UsersSeries AMonitor your users’ suspicious activitiesSome users may behave suspiciously, trying to hack into your application, subvert your services, or bother your other customers. By monitoring such users, you will be able to block or flag the illegitimate ones.https://www.sqreen.iohttps://castle.io
46
47
48
49
50
51
52
53
54
55
YOUR COMPANY
56
YOUR COMPANYEnsure your domain names are secured
57
YOUR COMPANYEnsure your domain names are securedSeed
58
YOUR COMPANYEnsure your domain names are securedSeedDomain names should be renewed regularly. If you have bought one from a third party, you should also make sure that the authoritative configured name server is your own.
59
Ensure your domain names are securedSeedDomain names should be renewed regularly. If you have bought one from a third party, you should also make sure that the authoritative configured name server is your own.
60
SeedDomain names should be renewed regularly. If you have bought one from a third party, you should also make sure that the authoritative configured name server is your own.Read more:
61
Domain names should be renewed regularly. If you have bought one from a third party, you should also make sure that the authoritative configured name server is your own.Read more:
62
YOUR COMPANYRead more:http://www.esecurityplanet.com/views/article.php/3928456/8-Tips-for-Protecting-Your-Domain-Names.htm
63
YOUR COMPANYEnsure your domain names are securedRead more:http://www.esecurityplanet.com/views/article.php/3928456/8-Tips-for-Protecting-Your-Domain-Names.htmBe honest and transparent about any data you collect
64
Ensure your domain names are securedYOUR COMPANYSeedhttp://www.esecurityplanet.com/views/article.php/3928456/8-Tips-for-Protecting-Your-Domain-Names.htmBe honest and transparent about any data you collectSeed
65
YOUR COMPANYDomain names should be renewed regularly. If you have bought one from a third party, you should also make sure that the authoritative configured name server is your own.SeedBe honest and transparent about any data you collectSeedIn the case of a breach, the attackers may disclose any data they gather. Your customers need to be aware of what data you're storing.
66
YOUR COMPANYDomain names should be renewed regularly. If you have bought one from a third party, you should also make sure that the authoritative configured name server is your own.Read more:SeedIn the case of a breach, the attackers may disclose any data they gather. Your customers need to be aware of what data you're storing.Read more:
67
YOUR COMPANYRead more:In the case of a breach, the attackers may disclose any data they gather. Your customers need to be aware of what data you're storing.Read more:
68
YOUR COMPANYRead more:http://www.esecurityplanet.com/views/article.php/3928456/8-Tips-for-Protecting-Your-Domain-Names.htmRead more:https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust
69
YOUR COMPANYhttp://www.esecurityplanet.com/views/article.php/3928456/8-Tips-for-Protecting-Your-Domain-Names.htmBe honest and transparent about any data you collectRead more:https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trustMake sure all your critical services are secured
70
YOUR COMPANYBe honest and transparent about any data you collecthttp://www.esecurityplanet.com/views/article.php/3928456/8-Tips-for-Protecting-Your-Domain-Names.htmSeedhttps://hbr.org/2015/05/customer-data-designing-for-transparency-and-trustMake sure all your critical services are securedSeed
71
YOUR COMPANYIn the case of a breach, the attackers may disclose any data they gather. Your customers need to be aware of what data you're storing.SeedMake sure all your critical services are securedSeedMany companies rely on Google Apps, Slack, Wordpress… These services all have defaults that should be improved to increase the security level. All of these services should be kept up to date.
72
YOUR COMPANYIn the case of a breach, the attackers may disclose any data they gather. Your customers need to be aware of what data you're storing.Read more:SeedMany companies rely on Google Apps, Slack, Wordpress… These services all have defaults that should be improved to increase the security level. All of these services should be kept up to date.Read more:
73
YOUR COMPANYRead more:Many companies rely on Google Apps, Slack, Wordpress… These services all have defaults that should be improved to increase the security level. All of these services should be kept up to date.Read more:
74
YOUR COMPANYRead more:https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trustRead more:https://blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/
75
YOUR COMPANYhttps://hbr.org/2015/05/customer-data-designing-for-transparency-and-trustMake sure all your critical services are securedRead more:https://blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/https://codex.wordpress.org/Hardening_WordPress
76
YOUR COMPANYMake sure all your critical services are securedhttps://hbr.org/2015/05/customer-data-designing-for-transparency-and-trustSeedhttps://blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/https://codex.wordpress.org/Hardening_WordPressDo not share WiFi
77
YOUR COMPANYMany companies rely on Google Apps, Slack, Wordpress… These services all have defaults that should be improved to increase the security level. All of these services should be kept up to date.Seedhttps://codex.wordpress.org/Hardening_WordPressDo not share WiFiSeedSharing WiFi networks with guests or neighbors may give them the opportunity to gather information on your network, and allow them to access resources protected by source IP. Use an isolated and dedicated guest WiFi network. Set up a calendar reminder to change the password every two months, since this password is shared.
78
YOUR COMPANYMany companies rely on Google Apps, Slack, Wordpress… These services all have defaults that should be improved to increase the security level. All of these services should be kept up to date.Read more:Do not share WiFiSeedSharing WiFi networks with guests or neighbors may give them the opportunity to gather information on your network, and allow them to access resources protected by source IP. Use an isolated and dedicated guest WiFi network. Set up a calendar reminder to change the password every two months, since this password is shared.Take special care of your non-tech employees
79
YOUR COMPANYRead more:SeedSharing WiFi networks with guests or neighbors may give them the opportunity to gather information on your network, and allow them to access resources protected by source IP. Use an isolated and dedicated guest WiFi network. Set up a calendar reminder to change the password every two months, since this password is shared.Take special care of your non-tech employeesSeries A
80
YOUR COMPANYRead more:https://blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/Sharing WiFi networks with guests or neighbors may give them the opportunity to gather information on your network, and allow them to access resources protected by source IP. Use an isolated and dedicated guest WiFi network. Set up a calendar reminder to change the password every two months, since this password is shared.Take special care of your non-tech employeesSeries ANon-tech employees are less used to technical trickery and can be deceived more easily than others, opening the door to ransomware or confidentiality issues. They should be trained and empowered to be distrustful and to preserve the company’s assets.
81
YOUR COMPANYhttps://blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/https://codex.wordpress.org/Hardening_WordPressTake special care of your non-tech employeesSeries ANon-tech employees are less used to technical trickery and can be deceived more easily than others, opening the door to ransomware or confidentiality issues. They should be trained and empowered to be distrustful and to preserve the company’s assets.
82
YOUR COMPANYhttps://codex.wordpress.org/Hardening_WordPresshttps://blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/Do not share WiFiSeries ANon-tech employees are less used to technical trickery and can be deceived more easily than others, opening the door to ransomware or confidentiality issues. They should be trained and empowered to be distrustful and to preserve the company’s assets.Read more:
83
YOUR COMPANYDo not share WiFihttps://codex.wordpress.org/Hardening_WordPressSeedNon-tech employees are less used to technical trickery and can be deceived more easily than others, opening the door to ransomware or confidentiality issues. They should be trained and empowered to be distrustful and to preserve the company’s assets.Read more:
84
YOUR COMPANYSharing WiFi networks with guests or neighbors may give them the opportunity to gather information on your network, and allow them to access resources protected by source IP. Use an isolated and dedicated guest WiFi network. Set up a calendar reminder to change the password every two months, since this password is shared.SeedTake special care of your non-tech employeesRead more:http://www.zdnet.com/pictures/hacked-the-six-most-common-ways-non-tech-people-fall-victimHave a public security policy
85
YOUR COMPANYTake special care of your non-tech employeesSharing WiFi networks with guests or neighbors may give them the opportunity to gather information on your network, and allow them to access resources protected by source IP. Use an isolated and dedicated guest WiFi network. Set up a calendar reminder to change the password every two months, since this password is shared.Series Ahttp://www.zdnet.com/pictures/hacked-the-six-most-common-ways-non-tech-people-fall-victimHave a public security policySeries A
86
YOUR COMPANYNon-tech employees are less used to technical trickery and can be deceived more easily than others, opening the door to ransomware or confidentiality issues. They should be trained and empowered to be distrustful and to preserve the company’s assets.Series AHave a public security policySeries AThis is a page on your corporate website describing how you plan to respond to external bug reports. You should advertise that you support responsible disclosure. Keep in mind that most of the reports that you receive probably won't be relevant.
87
YOUR COMPANYNon-tech employees are less used to technical trickery and can be deceived more easily than others, opening the door to ransomware or confidentiality issues. They should be trained and empowered to be distrustful and to preserve the company’s assets.Read more:Series AThis is a page on your corporate website describing how you plan to respond to external bug reports. You should advertise that you support responsible disclosure. Keep in mind that most of the reports that you receive probably won't be relevant.Great examples:
88
YOUR COMPANYRead more:This is a page on your corporate website describing how you plan to respond to external bug reports. You should advertise that you support responsible disclosure. Keep in mind that most of the reports that you receive probably won't be relevant.Great examples:
89
YOUR COMPANYRead more:http://www.zdnet.com/pictures/hacked-the-six-most-common-ways-non-tech-people-fall-victimGreat examples:https://www.airbnb.com/security
90
YOUR COMPANYhttp://www.zdnet.com/pictures/hacked-the-six-most-common-ways-non-tech-people-fall-victimHave a public security policyGreat examples:https://www.airbnb.com/securityhttps://www.apple.com/support/security/
91
YOUR COMPANYHave a public security policyhttp://www.zdnet.com/pictures/hacked-the-six-most-common-ways-non-tech-people-fall-victimSeries Ahttps://www.airbnb.com/securityhttps://www.apple.com/support/security/Have an internal security policy
92
YOUR COMPANYThis is a page on your corporate website describing how you plan to respond to external bug reports. You should advertise that you support responsible disclosure. Keep in mind that most of the reports that you receive probably won't be relevant.Series Ahttps://www.apple.com/support/security/Have an internal security policyPost-Series AThis is a short document stating the security requirements in your company and defining who is responsible and who is concerned with all aspects of security.
93
YOUR COMPANYThis is a page on your corporate website describing how you plan to respond to external bug reports. You should advertise that you support responsible disclosure. Keep in mind that most of the reports that you receive probably won't be relevant.Great examples:Have an internal security policyPost-Series AThis is a short document stating the security requirements in your company and defining who is responsible and who is concerned with all aspects of security.
94
YOUR COMPANYGreat examples:Post-Series AThis is a short document stating the security requirements in your company and defining who is responsible and who is concerned with all aspects of security.Read More:
95
YOUR COMPANYGreat examples:https://www.airbnb.com/securityThis is a short document stating the security requirements in your company and defining who is responsible and who is concerned with all aspects of security.Read More:
96
YOUR COMPANYhttps://www.airbnb.com/securityhttps://www.apple.com/support/security/Read More:https://www.sans.org/reading-room/whitepapers/policyissues/creating-information-systems-security-policy-534
97
YOUR COMPANYhttps://www.apple.com/support/security/https://www.airbnb.com/securityHave an internal security policyRead More:https://www.sans.org/reading-room/whitepapers/policyissues/creating-information-systems-security-policy-534Set up a bug bounty program
98
YOUR COMPANYHave an internal security policyhttps://www.apple.com/support/security/Post-Series Ahttps://www.sans.org/reading-room/whitepapers/policyissues/creating-information-systems-security-policy-534Set up a bug bounty programPost-Series A
99
YOUR COMPANYThis is a short document stating the security requirements in your company and defining who is responsible and who is concerned with all aspects of security.Post-Series ASet up a bug bounty programPost-Series AA bug bounty program will allow external hackers to report vulnerabilities. Most of the bug bounties program allow you to offer rewards for bugs found. You need security aware people inside your development teams to evaluate any reports you receive.
100
YOUR COMPANYThis is a short document stating the security requirements in your company and defining who is responsible and who is concerned with all aspects of security.Read More:Post-Series AA bug bounty program will allow external hackers to report vulnerabilities. Most of the bug bounties program allow you to offer rewards for bugs found. You need security aware people inside your development teams to evaluate any reports you receive.Places to start:
Loading...
 
 
 
🙌 Explore & Share Spreadsheets at SpreadShare.co