Skip to main content

Your first 90 days as a founding security engineer

· 11 min read

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.


Being the first security hire is a lot of responsibility. It’s rare to find a security engineer among the first 10 employees at a startup, so when you join, it’s likely that you are joining a larger company. In this situation, you’re inheriting some established security practices (or lack thereof) and have more people to corral than in a small, tight-knit company. (This article even suggests onboarding the first, full-time security hire between 30-100 employees.) And the stakes are high—the SolarWinds story is an extreme, but cautionary tale that companies can be held accountable, even when they are victims of a hack.

It’s not all gloomy though! There is lots to enjoy about being a founding security engineer.

You get the chance to wear many hats: one day you’re investigating infrastructure alerts, another day you’re pen testing, or on another you might be urgently researching whether you’re vulnerable to a new breach. You might also get to pick your security stack! You’re constantly building your skills and learning new things.

The biggest challenge: How do you prove your value?

When you start any new job, you want to show how you’re contributing right away—especially if you’re the first and only member of your department. When I joined Authentik Security as the first security engineer, I was fortunate that my manager, our CTO and founder Jens, has a security mindset. Success can be hard to define, though, when you’re the only team member with extensive security experience, and you might not have continued direction or guidance from leadership. If you’re reporting to a CTO or CEO, chances are they will be relying on you to drive the bus, even if they have a security mindset and training; it’s why they hired you and they have other areas to build up. Particularly in small startups, where the focus is often on “whatever will help us land customers”, and not on internal security (a cost center).

So, where do you start?

Get the lay of the land

You can’t make a plan if you don’t know what you’re working with, and sometimes what you first learn about the company’s security posture and processes isn’t reflective of what’s actually happening. Again, I was lucky when joining the team, because security has always been treated as a priority here, but I know from past experience that’s not always the case. Be prepared that what was in the job description may not actually be what you end up doing, so be ready to dive in, assess the current state of security, and start defining what your plans are and how your strengths will be utilized.

Understanding the current lay of the land is fundamental to defining a successful plan going forward.

The next biggest risk category after employee risks (which we’ll get to in a moment), is configurations. That’s why you’ll want to first figure out the following topics

What is the security stack, and has it been implemented properly?

In security, it’s not uncommon to grab a tool to solve a problem, and then find that it actually works for maybe 25-50% of what it’s intended for. You want to make sure you’re getting full value, especially if you’re paying for it.

A misconfigured tool might say you’re not at risk, but this can be a false sense of security. You see this with vulnerability scanning: there are so many tools out there, but if they’re not configured correctly you won’t get all the findings.

Is monitoring of the environment set up consistently (if at all)?

We’ve discussed this topic on this blog before, but it’s just so much more important and effective to have eyes into your environment than chasing down vulnerabilities. Did someone open up a server to the public with SSH, or accidentally commit a password somewhere? Why is this AWS account monitored, but not that one? When I joined Authentik Security, Jens had already set up log ingestion from our authentik instance (yes, dog-fooding), so I built on that by setting up SIEM and threat intelligence capabilities.

Start with what you’re good at

Now that you have an idea of what you’re working with and have applied your basic knowledge and skills, it’s wise to start with an area of security that you feel confident in. Security is so broad; it’s likely that you won’t be well-versed in everything (from blue team, to red team, compliance, etc.). You will probably have to learn some of that stuff on the job, but don’t spend the first 60 of your 90 days trying to learn how to pen test something or configure a new ultra-complex tool.

It’s more effective to start with the things you do feel comfortable with and grow your knowledge in the other areas as you go (just make sure you validate your plan with your manager).

Phishing

As we mentioned before, you’re far more likely to fall victim to a breach than a targeted hack (that’s why you won’t find chasing vulnerabilities in this list of priorities). Some phishing awareness material may seem obvious, but phishing tactics evolve quickly and there are always going to be people on the team who can fall victim to phishing (see the recent Cisco Duo attack). You’ll want to set up training around phishing and possibly have ongoing campaigns, and make sure your email provider is configured to “Mark as phishing”.

Access

Access management only gets harder the longer you ignore it. At a lot of companies, you get admin access to everything by default, which just gets riskier as you scale the size of the company. Now, instead of one or two people at risk of leaking a password (or choosing a weak or obvious password) or getting breached, you have 5, 10, 20, 100 people you have to be concerned about. If you can start scoping that down, you limit the blast radius.

Going down the rabbit hole of access can be daunting. There will come a point where you have to limit any one person’s access to only the things they need to do their job (i.e. principle of least privilege). If you do that suddenly, it’s going to cause friction.

A better approach is to see what a team member needs access to in their day-to-day and give them those permissions, plus one level higher. The change won’t be as noticeable on their end, and you have limited the blast radius in the event of an attack.

Offboarding and onboarding

Without a formal offboarding process, it’s common for access to be forgotten when someone leaves a company. They might retain access long after they’ve left, leaving the door open for them to sell those credentials, or do other harm if they left on bad terms.

It makes your IT department’s lives a lot easier if, for example, you use an access management tool like authentik to grant permissions to people (as we do at Authentik Security!). Then, if they leave, it just takes the click of a button to revoke access.

Implementing SSO is high ROI for a founding security engineer: it automates onboarding and offboarding, improves workflows, and just makes things easier for teammates.

It’s not a panacea though; there are likely tools in your company’s stack that don’t support SSO, or maybe you don’t have the paid plan that includes it.

At Authentik Security, we of course use authentik; we have one group defined that is associated with a set of administrative-level permissions, but Notion (which we use for internal documentation and planning) doesn’t support that. SSO gets you into Notion, but once a team member logs in we have to manage authorization of different groups differently. But, at least if someone leaves or their access is compromised, we can disable them in authentik and now they can’t get into Notion at all.

Start a runbook

One of the toughest things about being a security-team-of-one is there’s a lot of weight on your shoulders, and if you’re out sick or on vacation, there’s no one obvious to fall back on. That’s why it’s worth getting into the habit of documenting as you go. As you triage, set things up, and respond to alerts, take notes (literally!); what is the process you’re following? What should someone do in your place?

If you build documentation into your process it’s much more likely to happen than setting aside time specifically, and now your teammates will have something to refer to if you’re not available.

Build your relationships

When you start a new role, you have a finite amount of social or political capital at your disposal. So, you need to be strategic about how you deploy it (see below). You can also build up your credit with your teammates by taking the time to connect with them and understand how your initiatives are going to impact their workflow. They will have more time for you if you make an effort to meet them halfway.

For example, if I have a new security tool I want to implement and I need a new server, instead of just asking our infrastructure engineer to do it for me, I know enough about Infrastructure as Code that I can go in and start the changes for him. He just has to make tweaks and corrections instead of starting from scratch. Making the effort to relieve some of that burden helps to build goodwill.

Don’t be afraid to dig into the code

It’s unusual for security engineers to have a true understanding of the code we’re charged with protecting. Not a lot of developers cross over into security, and if they do they usually end up pen testing on the red team side because they understand more about it.

Being able to hold your own at least somewhat helps to build trust and goodwill, and can make you a better security engineer. Say for example, a Veracode scan turns up a finding and the developer says, “This is fixed this way, let’s ignore this.” By having some coding background, I can say, “No, if I’m reading your code correctly, you’re not sanitizing that input before it falls in, and that’s why Veracode is complaining.”

Challenging developers can put people’s backs up, so you want to approach this collaboratively and prompt them with questions to lead to the right conclusion. Knowing enough to ask the right questions goes a long way.

Pick the hill you want to die on

It’s a tough line to walk between partnering with other teams and putting your foot down when something has to change. It never turns out well to just drop the hammer one day (like suddenly revoking most people’s admin access, or giving your devs 5,000 vulnerability results to address—at least pick a critical subset). You want to gradually bring up the security level in a way that’s not disruptive.

So, pick the hill you want to die on. A lot of security involves giving new work to others: “Hey, we need to fix this server. Hey, we need to fix this code. We need to fix this access.” You want to minimize your asks where possible so people don’t just avoid you! Make suggestions, go slowly, take small steps, and solicit feedback. People are going to feel far more inclined to work with you on compromises if you show a willingness to collaborate.

In security, it’s natural to feel like every measure is really important, but if you’re practicing defense in depth, and spreading your efforts across as much of your attack surface as possible, you don’t have to cover every base 100%. Focus your efforts on activities that have an impact without generating a ton of work for others.

Let us know your thoughts in the comments, via email to hello@goauthentik.io, on Discord or GitHub.

Standardization in authentik: where we embrace guardrails and where we’ve kept flexibility

· 8 min read
Jens Langhammer
CTO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


How to be great? Just be good, repeatably.

Consistency is often credited as more important to success than bursts of inspiration. However when we’re talking about startups, standardization and innovation are often presented as conflicting mindsets. Standardization is for scaleups and enterprises, introduced around the same time as red tape and bureaucracy. Innovation is for scrappy startups, along with “move fast and break things” and “do things that don’t scale”.

Authentik Security is just over a year old, you can still count our team members on your hands, and we do a bit of both. Here are some things we’ve standardized that have helped us be more efficient (and where we’ve kept things fluid).

Release 2024.4 is here: new functionality for Admins, devs, and end users

· 3 min read
Jens Langhammer
CTO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


We are happy to announce that 2024 is going great, with our second release of the year adding important new functionality for Admins, developers, and end users. Take a look at the new features included in the release, check out the Release Notes for more details and upgrade instructions, and enjoy the new features!

graphic of release highlights

We are excited that this release, like our 2024.2 one, continues to add more functionality across the board for all users. For Admins, we added new abilities to verify user credentials and provision users and groups via external IdP sources, additional powerful configuration options, and performance improvements for important API endpoints (User, Groups, Events). For developers, we added an API Client for Python. We also made further UX/usability and customization enhancements, with a revamped UI for log messages and converting several multi-select boxes into dual-select. Using dual-select components across the interface is the goal; they provide a much cleaner UX for our users.

Let’s take a look at some of the highlights of this release.

Why we built authentik Outposts as microservices

· 8 min read
Marc Schmitt
Infrastructure Engineer at Authentik Security Inc
Rebecca Dodd
Contributing Writer

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


We’ve already seen high-profile migrations away from microservices (for example Amazon, Uber, and Google), and just recently The Pragmatic Engineer shared how teams at some companies have suffered in the wake of mass layoffs, as there simply aren’t enough staff to operate the thousands of services built by what used to be much larger engineering organizations. The tide has turned against microservices.

We’re happy to see a shift away from architecture inspired by buzzwords. In many cases (especially if you’re a small startup), you really don’t need microservices, you just need well-demarcated code. There are some good use cases for microservices however—when they address a genuine technical challenge—and this article is about one of them.

Going from open source maintainer to running a business: 7 lessons

· 10 min read
Jens Langhammer
CTO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


Since November 2022, authentik has gone from an open source project with one maintainer writing most of the code (me), to having a real business built on top of it—with six full-time team members across the globe. We celebrated the company’s first birthday last year, but I wanted to share some personal reflections from my own journey from maintainer to CTO.

What’s worked

Standardizing and templatizing (on some things)

One of the advantages of a greenfield environment is being able to choose my own constellation of tools and workflows to make things as easy and efficient as possible.

You might think that standardizing of any sort is the remit of scale-ups and big corporations with compliance requirements, but the business efficiency and simplicity that comes with it is also a huge bonus for lean startups.

Why contributing to open source is scary and how to contribute anyway

· 14 min read
Jens Langhammer
CTO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


In January of 2024, a well-known open-source maintainer wrote the following message to a contributor: “You copied that function without understanding why it does what it does, and as a result your code IS GARBAGE. AGAIN.”

If you’ve been in open source long enough, you might recognize the tone of Linus Torvalds, creator and lead developer of the Linux kernel. Torvalds’ sometimes cruel messages aren’t rare (there’s a whole subreddit for these rants, after all). But in this case, the target – Google engineer Steven Rostedtstands – stands out.

If we put aside the substance of the disagreement, we can acknowledge that the tone can be intimidating – not so much to Rostedtstands, who can likely handle himself, but to onlookers who are curious about contributing. Not all of open source is like this, of course, but enough of it is like this (or close to this) that exchanges like these can make contributing to open source scarier than it needs to be.

How can a brand new contributor, much less a Google engineer, feel brave enough to contribute?

The initial temptation, for me and probably many open-source fans, is to tell new contributors it’ll all be fine. There are bad parts, we might say, but there are good parts, too. But this approach risks invalidating their fears.

In this article, I’m going to lay out five real reasons why contributing to open source can be scary for new contributors. Alongside those reasons, though, I’m going to provide five practical ways to face the fears and contribute anyway.

My first week as CEO at Authentik Security

· 6 min read
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


Hello world! I'm excited to be joining Authentik Security as CEO. I wanted to take this opportunity to share the experience of my first week with the community and a bit about my background.

At the start of my very first "official" day on the job, I got an overview of the various applications we use from Jens, our founder and CTO. If you have ever been through a company onboarding process, you know that it might take a few days up to a couple weeks to get access to everything, sometimes even longer. In a small and agile startup, that might be as little as a day if you're lucky.

Remote Access, Audit Log, and a new App Wizard: release 2024.2 is here!

· 6 min read
Jens Langhammer
CTO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


We are happy to announce that 2024 is starting off great, with our first release of the year chock full of new features. Take a look at the new features and functionality included in the release, check out the Release Notes for more details and upgrade instructions, and enjoy the new features!

graphic of release highlights

We confess we are possibly the most excited about this release than any in a while, with some new Admin-level capabilities, enhanced functionality for developers (our DX game is heating up!), and some great UX/usability and customization enhancements.

Let’s start with some of the big features, the ones that kept us busy over the holidays and into the new year.

Open source developers are the original content creators

· 14 min read
Jens Langhammer
CTO at Authentik Security Inc
Nick Moore
Contributing Writer

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


In 2024, Tom Scott and Jynn Nelson, otherwise different people in different worlds, faced very similar problems.

  • Tom Scott is a YouTuber who, as of this writing, has gotten nearly 2 billion views across over 700 videos. Nearly 6.5 million people subscribe to Tom Scott’s YouTube channel.
  • Jynn Nelson, a senior engineer, is a major maintainer of Rust, an open-source project that 2023 StackOverflow research showed was the most admired language among developers. About 2.2 million people are Rust developers.

In a goodbye video, Scott announced an extended break from his channel, saying, "I am so tired. There's nothing in my life right now except work.”

In a post called the rust project has a burnout problem, Nelson wrote, articulating sentiments across the Rust community, “you want a break, but you have a voice in the back of your head: ‘the project would be worse without you.’”

It’s unfortunate that this comparison makes the best opening to the point of this post: open source developers are much more like content creators than most people tend to assume.

If anything, when you look at the history of the Internet and the history of distributing content online, open source developers might be the original content creators.

By looking at the paths they have both paved and recontextualizing their work within a broader view of the creator economy, we can come to a better understanding of the shared futures of content creators and open source developers.

Image by rawpixel.com on Freepik

Don’t hardcode your secrets in Kubernetes manifests, and other container pitfalls to avoid

· 11 min read
Marc Schmitt
Infrastructure Engineer at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


At the time of writing this post, the downfalls of using YAML as a templating language are being debated on Hacker News. The headache of trying to customize Helm charts is a gripe we share at Authentik, which we’ll get into below.

This post is about how we test and deploy authentik using containers, some gotchas we’ve encountered, and lessons we’ve picked up along the way.

When the company founder is from an Infrastructure background, and the first person he decides to hire (that's me!) is also from Infra, you can imagine that we end up with some pretty strong opinions about tools and processes.

This is part of an ongoing series about the tools and products that make up authentik’s stack (you can also read about our infrastructure tooling choices and what’s in our security stack).