Lessons from Jason Harmon, CTO at Stoplight
Security has been a large area of focus for the team at Stoplight over the past year to help grow, scale, protect, and better serve our customers. We discussed this focus with Jason Harmon, the Chief Technology Officer at Stoplight where he oversees product and engineering. Here’s what Jason has learned from evolving security tools and processes at Stoplight. And for those wanting to learn more about our updated security practices, check out our new security.stoplight.io site, where you can learn about our overall posture and request access the related assets.
Why is security important, especially in the API space?
APIs are a top attack vector (Gartner 2021 webinar). As more and more APIs are built and used across every industry, more security measures need to be a top consideration.
One of the mountains to climb in scaling an early-stage startup is how to go from rapid innovation to creating a sense of stability, trust, and partnership. Security & compliance posture is one of the most important signals of a company's maturity.
What are some security challenges at a startup?
Startups are constantly changing and growing. Starting, and keeping, good security practices can be a challenge!
Plus, it's not cheap. You need to cover a lot of bases including getting visibility, establishing your current baseline, understanding if your machines and infrastructure are secure, and if you have any vulnerabilities. This all takes time and money.
However, once you know what the problems are, the next challenge is establishing operating patterns to remediate the problems. How do you prioritize those important security needs against the needs of the business or product? These solutions must be considered in each organization against the specific risks in your business & platform.
Ask yourself: What do we do when security issues arise? How do we determine severity? What do you do if you can’t afford a security team? When you can confidently answer these questions, you're on your way to a better security posture.
What security changes has Stoplight made over the last year?
We strive to share our security and compliance posture with potential and current customers in a transparent and easy-to-understand way.
At Stoplight, we want to be as open and transparent as we can (without compromising our operational security, of course), and build trust with our customers, our processes, and infrastructure.
Here are some of the ways we've focused on elevating our security practices over the past year:
- Provide customer transparency to our security & compliance posture with our security.stoplight.io site
- Ongoing threat & vulnerability detection/remediation across our platform
- Established a cadence of regular infrastructure & application penetration testing
- Conducting ongoing, monthly security awareness training and discussions for everyone on the team
- Performing regular mock phishing exercises (and no one fell for it in October!)
- Producing smarter and measurable security results every quarter, especially in a growing team
- Began to formalize security and compliance-related processes and policies
What advice do you have for others in the space looking to get started with better security?
- Gain threat & vulnerability visibility for cloud infrastructure/applications by installing agents on all instances to scan for known CVEs
- Determine your endpoint security (especially laptops) and whether any employee machines are vulnerable (this is especially important in a distributed workforce). Phishing, malware, and ransomware attacks tend to start with individuals on their laptops.
- We set up our MDM with Electric.ai to get visibility & remediation of basic threats & vulnerabilities, and followed up with SentinelOne to address the broader malware risks.
- Implement code scanning for insecure coding patterns and insecure dependencies to avoid the introduction of new security problems and get visibility to existing problem areas/hotspots.
- We started with setting up Dependabot to help with risky dependencies and added static code analysis tools next.
- Establish threat and vulnerability remediation processes, integrated into how issues are triaged.
- Determine triggers to block deployment pipelines and require remediation before going live.
- Build competency
- Hire in-house security engineering talent (with API experience/knowledge!) or partner with a trusted vendor to provide capacity & expertise to guide and execute your strategy.
- We worked closely with Cyvatar.ai to build our strategy and execute projects to give overall visibility, as well as remediation. Electric.ai has provided endpoint security with their MDM, as well as provisioning & access control to business-critical applications. Safebase has helped us wrangle security assessments and the sharing of security & compliance assets with prospective customers.
- Perform security awareness training on a regular cadence, and invite discussions with your team
While there are plenty of other areas to improve from this list (and plenty more we’ve implemented), we addressed these areas as our starting point. Hopefully, this helps your organization bootstrap your security program.
Security Resources at Stoplight
Obviously security is important to us. It’s important to our customers. And it's important to the API ecosystem. We’re putting effort and time into building the right kind of company to secure your data.
While we’re proud of the first year of building our security program, we’re growing our investments and have plans to constantly improve our posture in 2022.
We want to be a safe and trusted partner. In order to do that, we have to protect our customers and their data.
Stay informed on our latest security updates and see how we can safely fit into your API tool set with these resources: