Description

This curriculum spans the breadth of a multi-workshop security integration program, addressing the same technical and organizational challenges faced during real-world advisory engagements with startups scaling through Series B.

Module 1: Threat Modeling and Risk Assessment in Early-Stage Startups

Conducting asset inventories to identify sensitive data types (PII, financial, IP) across fledgling infrastructure
Selecting and applying threat modeling frameworks (e.g., STRIDE, PASTA) to MVP architectures with limited engineering bandwidth
Deciding which third-party SaaS tools require security questionnaires based on data exposure and access privileges
Documenting risk acceptance decisions for technical debt introduced during rapid prototyping
Integrating threat modeling into sprint planning without slowing down product delivery
Establishing thresholds for escalating risks to founders and board members based on impact and exploitability
Mapping data flows in microservices environments before public launch to identify unsecured inter-service communication
Assessing supply chain risks when using open-source libraries with known vulnerabilities in core features

Module 2: Secure Identity and Access Management at Scale

Choosing between building custom IAM and adopting identity platforms (e.g., Okta, Auth0) based on team size and use cases
Implementing role-based access control (RBAC) policies across AWS, GCP, and SaaS applications with consistent naming conventions
Configuring multi-factor authentication enforcement across employee, contractor, and admin accounts with exception workflows
Automating user provisioning and deprovisioning using SCIM integrations with HRIS systems
Defining break-glass access procedures for emergency system recovery with audit trail requirements
Managing service account lifecycle, including key rotation and least-privilege permissions in CI/CD pipelines
Enforcing session timeout policies across web and mobile applications based on risk profile
Conducting quarterly access reviews for elevated privileges in critical systems (e.g., production databases, root accounts)

Module 3: Data Protection and Encryption Strategy

Selecting encryption at rest mechanisms (e.g., KMS, customer-managed keys) for databases and object storage across cloud providers
Implementing field-level encryption for sensitive customer data in application databases using envelope encryption
Deciding whether to use client-side or server-side encryption based on performance and key management complexity
Designing key rotation schedules and disaster recovery procedures for cryptographic keys
Classifying data sensitivity levels and mapping to appropriate encryption and retention policies
Configuring TLS 1.3 with strong cipher suites across APIs and public endpoints
Managing secrets in development environments without exposing credentials in code or config files
Implementing secure data destruction workflows for decommissioned storage and backups

Module 4: Secure Infrastructure and Cloud Configuration

Establishing baseline security configurations for cloud accounts using tools like AWS Config or GCP Security Command Center
Designing VPC architectures with private subnets, NAT gateways, and flow logging for monitoring
Enforcing infrastructure-as-code (IaC) practices using Terraform or CloudFormation with security linters (e.g., Checkov)
Blocking public S3 bucket access by default and auditing for misconfigurations via automated scans
Implementing network segmentation between development, staging, and production environments
Configuring WAF rules to mitigate OWASP Top 10 threats on public-facing applications
Managing container security in Kubernetes clusters, including image scanning and pod security policies
Setting up centralized logging and monitoring for cloud infrastructure events using CloudTrail, Audit Logs, or equivalent

Module 5: Incident Response and Breach Management

Developing an incident response playbook tailored to startup resources, including communication templates
Establishing on-call rotations for security incidents with escalation paths to technical and executive leadership
Configuring SIEM tools to detect anomalous login patterns, data exfiltration, or privilege escalation
Conducting tabletop exercises for common breach scenarios (e.g., ransomware, insider threat, API key leak)
Defining criteria for when to engage external forensic firms or legal counsel during an active incident
Implementing immutable logging to preserve evidence during and after a security event
Coordinating disclosure timelines with legal, PR, and regulatory obligations across jurisdictions
Performing post-incident root cause analysis and updating controls to prevent recurrence

Module 6: Compliance and Regulatory Alignment

Determining which compliance frameworks apply (e.g., GDPR, CCPA, HIPAA, SOC 2) based on customer contracts and data types
Mapping technical controls to specific regulatory requirements for audit readiness
Conducting data residency assessments to ensure compliance with cross-border data transfer laws
Implementing data subject request workflows for access, deletion, and portability under privacy regulations
Documenting data processing agreements (DPAs) with vendors handling regulated data
Establishing data retention and deletion schedules aligned with legal and operational needs
Preparing for SOC 2 audits by implementing and testing controls for security, availability, and confidentiality
Managing ongoing compliance maintenance, including evidence collection and control testing

Module 7: Secure Product Development Lifecycle

Integrating security gates into CI/CD pipelines, including SAST, DAST, and dependency scanning
Defining secure coding standards and conducting architecture reviews for high-risk features
Managing vulnerability disclosure programs and coordinating with external researchers
Prioritizing remediation of CVEs based on exploitability, asset criticality, and patch availability
Conducting manual penetration testing before major product releases or funding milestones
Implementing feature flagging with secure default states to limit exposure of new code
Training engineering teams on common web vulnerabilities (e.g., injection, SSRF, CSRF) through hands-on labs
Establishing bug bounty scope and triage processes for reported vulnerabilities

Module 8: Vendor Risk and Third-Party Security Oversight

Creating a vendor risk classification matrix based on data sensitivity and system criticality
Conducting security assessments for critical vendors using standardized questionnaires (e.g., CAIQ, SIG Lite)
Reviewing third-party SOC 2 or ISO 27001 reports and validating control effectiveness
Negotiating security clauses in vendor contracts, including audit rights and breach notification timelines
Monitoring vendor security posture changes through continuous monitoring tools or alerts
Managing API key lifecycle and access scopes for integrations with external platforms
Enforcing encryption and access logging requirements for vendors with access to customer data
Decommissioning vendor access and integrations during contract termination or service replacement

Module 9: Security Culture and Executive Alignment

Translating technical risks into business impact metrics for fundraising and board reporting
Establishing security KPIs (e.g., mean time to patch, incident frequency) for leadership dashboards
Designing role-specific security training for engineering, sales, and customer support teams
Conducting phishing simulation campaigns with follow-up coaching for employees who fail
Integrating security into performance reviews for technical leadership roles
Allocating budget for security tooling and personnel based on growth stage and risk exposure
Communicating security priorities during onboarding for new hires and contractors
Facilitating executive tabletop exercises to align on crisis response and decision authority