5 Security Mistakes Every Startup Makes (And How to Fix Them)
Every startup I work with makes the same security mistakes.
Not because founders are careless. Because they're optimizing for the right thing: shipping product and finding customers. Security feels like something you deal with "later."
Then later arrives. Usually because:
- A customer asks for SOC2
- Someone finds passwords in your GitHub repo
- Your AWS bill is suddenly $10K because someone's mining crypto
- An engineer leaves and still has admin access to everything
Here are the five mistakes I see most often, and how to actually fix them.
1. Shared Admin Accounts ("We'll Set Up SSO Later") #
You know those [email protected] accounts everyone uses?
For AWS. For your database. For monitoring tools. For that backup service you signed up for two years ago.
"We'll set up proper SSO later" - famous last words.
Why this breaks: #
Someone leaves. They might be bitter. They definitely still have access to production.
You go to revoke access. Nobody knows where all the shared accounts are. You spend three hours resetting passwords and hoping you got everything.
Or worse: you DON'T revoke access. Six months later that person is working for a competitor and still has your database passwords saved in their password manager.
How to fix it: #
This week:
- List every service you use (SaaS, cloud, internal tools)
- Check which ones use shared accounts
- Check if they support SSO/SAML (most do now)
This month:
- Set up Google Workspace or Okta or whatever identity provider
- Connect your top 10 critical services to SSO
- Delete the shared accounts
Proper way:
People log in with their own account. When they leave, you disable one account in one place. Everything stops working for them.
You can still have an emergency break-glass admin account. Keep it in a vault. Require two people to access it. Actually monitor when it's used.
2. No Idea Who Can Access What #
Ask your CTO: "Who has admin access to production?"
If the answer is anything other than a specific list of names, you have a problem.
I've seen:
- 10 people with AWS root account credentials
- Engineers who left a year ago still in the database admin group
- Contractor who built your MVP still has GitHub admin
- That intern from last summer still in your Vercel org
Why this breaks: #
You can't secure what you don't know about.
Someone gets phished. Their laptop gets stolen. They go rogue. You need to know exactly what they can access and lock it down fast.
Also: every compliance framework asks "who can access production data?" If your answer is "uh... not sure?" - you're going to have a bad audit.
How to fix it: #
Right now:
Open a spreadsheet. Three columns:
- System (AWS, GitHub, Database, etc.)
- Access Level (admin, developer, read-only)
- Who Has It (actual names)
Go through every system. Write down who has what.
You'll be shocked. I promise.
This quarter:
Set calendar reminders to review access every 90 days.
Every quarter:
- Export user lists from each system
- Check who shouldn't be there anymore
- Remove them
- Document that you did this
That's it. That's the whole access review process that auditors want to see.
3. Credentials Living in Slack and Repos #
"Hey, here's the staging database password" - sent in Slack three months ago. Still there. Indexed. Searchable.
Or my personal favorite: .env file committed to GitHub with production database credentials. Caught by automated scanner. Now your database passwords are on the internet forever (yes, even if you delete the commit).
Why this breaks: #
Credentials in Slack = everyone who ever joined that channel has them. Including people who left.
Credentials in repos = they're in git history forever. Deleting the file doesn't delete the commit. Someone will find them.
People copy-paste credentials into Slack when they're rushing. Makes sense in the moment. Becomes a nightmare later.
How to fix it: #
Emergency fix (if you leaked creds):
- Rotate the credentials immediately
- Check access logs to see if anyone used them
- Document what happened and when
Long-term fix:
Use a password manager for shared credentials. 1Password, LastPass, whatever. Just not Slack.
Better: don't share credentials at all. Use AWS IAM roles, database user accounts, API tokens that can be revoked.
For secrets in code:
- Use environment variables
- Put them in your CI/CD system (GitHub Secrets, GitLab CI variables)
- Use a secret manager (AWS Secrets Manager, HashiCorp Vault)
- Add
.envto.gitignore(yes, obvious, but people still forget)
For scanning:
Set up git-secrets or Trufflehog in CI. Catches secrets before they get committed.
Takes 10 minutes. Saves you from panic-rotating credentials at 11pm.
4. No Logging (Or Logs Nobody Looks At) #
Your monitoring is great. You know instantly when the site goes down.
But do you know when:
- Someone tries 50 password combinations on your admin login?
- A user exports your entire customer database?
- Someone creates a new AWS admin user at 3am?
Probably not.
Why this breaks: #
Breaches aren't instant. Someone gets in, pokes around for days or weeks, figures out what's valuable, then steals it.
Without logs, you find out months later when:
- Customers report their data showed up on a hacking forum
- AWS sends you a notice about suspicious activity
- You're applying for SOC2 and realize you have no audit trail
Also: compliance requires logs. SOC2, ISO 27001, GDPR - all want proof you're monitoring who does what.
How to fix it: #
Basic logging (do this):
- AWS CloudTrail (who did what in AWS)
- Application logs (who logged in, what they accessed)
- Database logs (what queries ran, who ran them)
Send them somewhere central. CloudWatch, Datadog, Splunk, whatever. Just not scattered across 15 different services.
Actually useful logging:
Set alerts for weird stuff:
- Failed login attempts (more than 5 in 10 minutes)
- New IAM users created
- Database accessed from unusual location
- Large data exports
- Access outside business hours
You don't need a security team to do this. You need 30 minutes and a CloudWatch alarm.
Retention:
Keep logs for at least 90 days. A year is better. Storage is cheap. Finding out you were breached 6 months ago and deleted all evidence is expensive.
5. Treating Security as "Set It and Forget It" #
You set up 2FA. Great.
You added monitoring. Excellent.
You wrote a security policy. Perfect.
Then six months pass. People left. New services were added. Nobody updated anything.
Now:
- Half your team isn't using 2FA (they lost their device, new phone, whatever)
- Monitoring alerts go to an email nobody checks
- Security policy says you do quarterly reviews, but you stopped after the first one
Why this breaks: #
Security isn't something you do once. It's something that rots without maintenance.
People leave, new services get added, processes get forgotten. Your actual security drifts away from what you think your security is.
Then audit time comes and you realize the access reviews you thought were happening... aren't.
How to fix it: #
Calendar everything:
Every quarter:
- Review who has access to what (we covered this)
- Check if 2FA is enabled for everyone
- Update your list of services/systems
- Test your backups (you have backups, right?)
Every month:
- Review security alerts (did anything fire? why?)
- Check for critical dependency updates
- Look at CloudTrail for anything weird
Make someone responsible:
"We're all responsible for security" = nobody's responsible.
Pick one person. Doesn't need to be technical. Just needs to own the calendar reminders and make sure stuff gets done.
In a 10-person startup, this is 2-3 hours a month. That's it.
Document what you're doing:
Not for compliance (though that helps). For your future self.
When someone leaves, you need to know which accounts to disable. When something breaks, you need to know what changed.
Keep a simple log:
- Date
- What changed
- Who did it
Doesn't need to be fancy. Shared Google Doc works fine.
The Pattern #
Notice something? These aren't exotic security problems.
You're not getting hacked by nation-state actors.
You're getting tripped up by:
- People leaving and keeping access
- Not knowing what you have
- Forgetting to maintain things
The fix isn't expensive security tools.
The fix is:
- Write down what you have
- Control who can access it
- Check regularly that nothing broke
That's it. That's the whole security program for a startup.
Everything else - SOC2, pentests, security training - builds on this foundation.
What to Do Monday #
Pick ONE of these to fix this week:
Easiest: Set up a quarterly calendar reminder for access reviews. First one happens next quarter.
Most impactful: List every service you use and who has admin access. Takes 2 hours. Will horrify you.
Most urgent: Search your Slack for "password" and see what you find. Then use a password manager.
You don't need to fix everything today. But pick something and fix it.
When You Actually Need Help #
If you're:
- About to raise a Series A (investors will ask about security)
- Trying to close enterprise customers (they'll want SOC2)
- Dealing with customer data in Europe (GDPR is real)
You probably need more than this list.
That's fine. That's what I do.
But if you're a 5-person startup trying to not get breached? Start with this list. Fix these five things. You'll be ahead of 80% of startups.
Security doesn't have to be complicated. It just has to actually happen.
About the Author #
I'm Nikita, a DevSecOps and cloud security consultant specializing in Kubernetes security and compliance automation for Series A-C SaaS companies. With 7+ years of security engineering experience including CISO roles, I help startups achieve SOC2 certification in 6 weeks and build security pipelines that developers actually like.
Work with me: View Services | Schedule Call | Read More Posts
Nikita Mosievskiy
Security Engineer & AI Researcher