Technical due diligence for startups: An infrastructure, devops & security checklist

If you’re getting ready to raise money or sell enterprise deals, you must be transparent regarding how your product fares in infrastructure and security.

Much of the advice out there covers qualitative aspects of due diligence, such as documentation quality, code, repo hygiene, scalability, user-friendliness, etc. This article focuses on the tools and processes you need to have in place in an easy-to-use fashion with some strong opinions, so you don’t waste your time.

If you’re getting ready to raise money or sell enterprise deals, you must be transparent regarding how your product fares in infrastructure and security.

Much of the advice out there covers qualitative aspects of due diligence, such as documentation quality, code, repo hygiene, scalability, user-friendliness, etc — all important things to consider, but much of them subjective and a matter of opinion or degree.

This article focuses on the black-and-white “must have” tools and basic processes you need with strong recommendations to execute on so you don’t waste your time.

What is Technical Due Diligence

Technical due diligence ensures your product does what it’s supposed to―not only the features it offers but also non-functional requirements like performance, security best practices, or the product’s DevOps workflow.

Due diligence can take weeks, if not months, to give investors a complete tour of a product’s internal mechanisms.

Why Technical Due Diligence

To raise funds - Investors will want proof your product isn’t all smoke and mirrors and that you’re not the next Elizabeth Holmes.
To conclude an acquisition - The new owners will need a tour of the product to see how to take it from there.
To offer service-level agreements for an Enterprise package - If you build a close-knitted relationship with another company, you might require service-level agreements to conclude the deal. TDD will help handle any risk.

9-Step Technical Due Diligence Checklist

1. Secret Manager

A secret manager is a must-have tool for any startup that wants to store secrets securely.

If you’re not using one, then you’re probably keeping your passwords and API keys in plain text in .env files on GitHub or somewhere else online.

This is a security disaster waiting to happen, not just because anyone who gains access to this information has complete control over all of your accounts but also because secret key leakage can occur in unexpected ways.

The solution? Set up Onboardbase in 5 minutes or less. It has a ton of great features:

You can create and manage multiple teams.
The intuitive interface makes it easy to see what’s happening with each user in real time.
You can automate secret generation and rotation.
You can push secrets across environments and team members via a pull request mechanism.
And many more!

2. Access Control

Access Control is granting and revoking access to resources in your organization.

Roles and Permissions are the most critical aspect of who can access what. It would be best if you had a good way of managing roles and permissions for who can do what within your application, including data access, ideally with a tool that can enforce the least privileged access control.

There are many ways to do this, but I recommend using something like Okta or Auth0 and implementing Multi-factor Authentication (MFA) for all accounts with access to the product or infrastructure with non-socially-engineerable second factors (no SMS, no email).

Both tools offer robust APIs that make it easy to implement into almost any stack and a user interface for managing users and roles/permissions.

It’s essential to security because it helps prevent people from getting into places they shouldn’t be. Still, it also helps protect you from data breaches by preventing unauthorized users from accessing sensitive information.

3. CI/CD pipeline

An implementation part of your application security strategy is to implement a CI/CD pipeline properly. This will help you ensure that all code changes pushed to production are secure, and it’s also a great way to enforce the least privilege access control by limiting what can be changed by any person or team.

We recommend using a tool like GitLab CI to automatically build and test your code whenever new changes occur. This will help you ensure that it’s secure before it makes its way into production.

4. Unit & Integration testing

Let’s face it - nobody has close to 100% test coverage, and unit testing is typically done haphazardly.

Unit testing, however, is an integral part of app security to catch bugs before they make their way into production and can be used in conjunction with a CI/CD pipeline to enforce the least privileged access control.

At a minimum, we recommend that you write tests for all public APIs, have unit tests for every single method in your application, and unit tests for every class in your codebase.

You can also use tools like Cucumber and Selenium to automate UI testing, which helps ensure your app behaves as expected in different scenarios and browsers for certain critical path functionality. Integration testing.

Integration tests are another essential part of app security, as they allow you to test how different components in your application interact. Integration tests can help ensure that APIs are performing how they should and not disclosing or leaking information.

At a minimum, we recommend that you perform integration tests on every service that your application depends on. This can include anything from databases to web services and third-party libraries.

5. API endpoint security

API endpoint security is one of the most important aspects of any API.

It is also one of the most overlooked areas when it comes to securing your API. While you may have a great UI and solid documentation, if someone can easily access and manipulate your API endpoints, they can do nasty things with them, making or breaking your ability to have a successful enterprise business.

API security tools like Hyperping will provide a solid foundation for securing your API endpoints and ensuring they are always in a state where they can be accessed securely. They also allow you to implement a security model that is easy for developers to understand and use.

6. Infrastructure-as-code

Infrastructure-as-code tools like Terraform are key parts of the modern development workflow. To ensure robust security, you will need to ensure the following.

Strong authentication and authorization rules are in place, ideally covered by your IAM policies.
All the modules you use are secure (i.e., not vulnerable to known exploits).
Third-party dependencies are secure and up to date (i.e., not vulnerable to known exploits).
You have an immutable server image (a base OS and all the tools you need to run your application) that is easy to deploy with minimal user interaction. This means no configuration files, no SSH keys, and nothing that could be modified by someone who has compromised your server.
The tooling has high-quality security features (e.g., Terraform has a lockdown mode that allows you to specify which users can run what parts of your infrastructure)
You have an easy way to audit changes made by humans or scripts—you should be able to see who changed what and when quickly.

7. Open-source/dependency scanning

Almost everybody incorporates third-party libraries and open-source packages into their application and infrastructure, which introduces additional security risks.

You’ll need to ensure that any open-source packages you use are safe, secure, and up-to-date.

Several tools are available to help with this, like Snyk, Gemnasium, or Sonatype OSS Index. The process is simple: you upload your project to one of these services and get back a list of all the open-source components used in it, along with their associated vulnerabilities and remediation steps.

This can be automated by running any of these services as part of your CI/CD pipeline. Some dedicated security scanners, like RetireJS, Snyk, or Sonatype’s Security Checker, can help you find vulnerabilities in your dependencies.

8. The static code analysis tool

Static code analysis tools automatically scan your codebase and look for common vulnerabilities or security mistakes. It’s like having an extra pair of eyes reviewing your code.

You should set this up before you start raising money or selling enterprise deals, as it will save you time and money later. It can help you catch bugs, performance issues, and security vulnerabilities before they hit production.

You don’t need to use one of the extensive commercial offerings (e.g., Fortify, Klocwork), but you do need something on your team that performs static analysis on new code as soon as it is committed.

There are tools like SonarQube or Black Duck Hub for open-source projects and additional commercial products such as Coverity that work just as well.

You can run this process on your own CI server or use one provided by your cloud provider.

9. SOC II Type 2 certification

SOCII Type 2 certification is a significant hurdle to overcome, and it needs to be in place before you even start fundraising. We highly recommend getting SOCII Type 2 certified if you want to do enterprise deals and sell software that handles sensitive data.

The good news is that many new vendors can help you get your SOCII Type 2 certification, such as Vanta, SecureFrame, Drata, and A2H.

The bad news is that it will probably cost you a few thousand dollars and take a couple of months to complete. Here’s another guide to reviewing some of these newer providers and making a decision

Conclusion

We think that our checklist is a good starting point for early-stage startups. We recommend that all companies follow the advice in this article and have clear documentation of each step completed. The more documentation, the better.