{"id":13432659,"url":"https://github.com/forter/security-101-for-saas-startups","last_synced_at":"2026-01-25T09:33:26.271Z","repository":{"id":44454355,"uuid":"83980248","full_name":"forter/security-101-for-saas-startups","owner":"forter","description":"security tips for startups","archived":false,"fork":false,"pushed_at":"2022-07-11T18:03:37.000Z","size":1188,"stargazers_count":4620,"open_issues_count":5,"forks_count":295,"subscribers_count":131,"default_branch":"english","last_synced_at":"2025-03-23T15:22:44.303Z","etag":null,"topics":["chinese","security","security-considerations","startup"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/forter.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security.md","support":null}},"created_at":"2017-03-05T15:23:27.000Z","updated_at":"2025-03-22T20:12:31.000Z","dependencies_parsed_at":"2022-07-30T23:17:58.843Z","dependency_job_id":null,"html_url":"https://github.com/forter/security-101-for-saas-startups","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/forter/security-101-for-saas-startups","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forter%2Fsecurity-101-for-saas-startups","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forter%2Fsecurity-101-for-saas-startups/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forter%2Fsecurity-101-for-saas-startups/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forter%2Fsecurity-101-for-saas-startups/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/forter","download_url":"https://codeload.github.com/forter/security-101-for-saas-startups/tar.gz/refs/heads/english","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forter%2Fsecurity-101-for-saas-startups/sbom","scorecard":{"id":407384,"data":{"date":"2025-08-11","repo":{"name":"github.com/forter/security-101-for-saas-startups","commit":"59acca9d1a39abe21fc0cb19521a30d793c3acea"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.5,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":7,"reason":"Found 10/13 approved changesets -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: security.md:1","Info: Found linked content: security.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: security.md:1","Info: Found text in security policy: security.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-18T21:43:01.458Z","repository_id":44454355,"created_at":"2025-08-18T21:43:01.459Z","updated_at":"2025-08-18T21:43:01.459Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28750875,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-25T09:00:19.176Z","status":"ssl_error","status_checked_at":"2026-01-25T09:00:04.131Z","response_time":113,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chinese","security","security-considerations","startup"],"created_at":"2024-07-31T02:01:14.840Z","updated_at":"2026-01-25T09:33:26.255Z","avatar_url":"https://github.com/forter.png","language":null,"funding_links":[],"categories":["Others","chinese","\u003ca id=\"9f9fed5b730bc5bfceaaf77da3aa719e\"\u003e\u003c/a\u003e笔记\u0026\u0026文章\u0026\u0026教程","资源"],"sub_categories":["书籍"],"readme":"[中文翻译](https://github.com/forter/security-101-for-saas-startups/blob/chinese/readme.md)\r\n\r\n# Security 101 for SaaS startups\r\n\r\n## Things I wish my first boss had told me\r\n\r\nSo you are working at a startup, and you have been wondering at what point should you start looking into security considerations and compliance? Which technical debt should be postponed for a later stage, and which systems should be hardened this instant? What are the main considerations?\r\n\r\nTechnical debt gets piled up, and in many cases it is easier to pay later rather than now. For example, if you are using ElasticSearch without username/passwords, you should double check your firewall settings. After round-B your startup would probably have the manpower and budget to properly secure the ElasticSearch cluster.\r\n\r\nStartup culture is a bit more difficult to change \"later\". Let's take a trivial example. Developers that are used to pushing code without code review, would complain that peer review would bog down the development, and it might even smell \"too corporate\" for them.\r\n\r\nSo which security considerations are relevant at an early stage?\r\n\r\n* What security concerns were raised by customers willing to pay for your product?\r\n\r\n* What are the security expectations  in your industry (Medical, Finance, Enterprise)?\r\n\r\n* What are the target market (country) regulations (Data Privacy, Data Residency)? Europeans are known to have tougher regulations. Different US States have different regulations.\r\n\r\n* Which tools and policies would not hurt your team's morale.\r\n\r\n* How long would it take you to prepare a security risk plan (see example at the bottom of this document)?\r\n\r\n    * What is the impact of Intellectual Property theft, business plans theft, bitcoin/ec2 theft, losing all your data ? How would it affect your sales, customers, investors?\r\n\r\n    * How can you protect against a data breach?\r\n\r\n    * How can you reduce the exposure after a data breach?\r\n\r\nWe grouped together the expected security recommendations by the different phases a start-up goes through. The more money and data the startup handles, the bigger the investment in security:\r\n\r\n[continue reading](https://github.com/forter/security-101-for-saas-startups/blob/english/security.md)\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fforter%2Fsecurity-101-for-saas-startups","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fforter%2Fsecurity-101-for-saas-startups","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fforter%2Fsecurity-101-for-saas-startups/lists"}