Many startups use cloud services like AWS, Azure, or GCP, but often don't have a dedicated security engineer on their team. I'm curious about how founders deal with this challenge in practice. Do you perform regular security checks? Do you depend on continuous integration/continuous deployment (CI/CD) or infrastructure as code (IaC) to maintain security? Or is security something you only think about when customers ask for compliance? Have you ever faced issues due to misconfigurations, like a public S3 bucket or a weak IAM policy? I'm trying to get a better understanding of the mindset in startups like mine that lack security expertise.
1 Answer
Honestly, most startups don't have a solid security plan until something bad happens. They tend to react to issues as they arise, waiting until they have funding or a larger revenue before hiring a dedicated security engineer. Some do take regulatory compliance more seriously from the beginning, often seeking help from consultants.
I've been considering creating an LLM-based tool for automatic security checks of cloud configurations. It could shout out risks in simple terms like, "Your RDS is publicly accessible" or "Your S3 bucket isn't encrypted." Do you think this would be useful for small to mid-sized companies, or do they just wait for problems to pop up?