In the year this has percolated with me, I've grown to actively dislike it. I have three major problems with it:
1. This cutesey "seed, A, B" triage scheme is misleading. In reality, you can break everything down into just two categories: "do it before product/market fit" and "do it after product/market fit" (or "now" and "later", or whatever you'd like to call them).
2. Most of what this list defers to later phases shouldn't be deferred --- or at least, if you're going to do it at all, there's benefit to doing it early. Monitoring computers? Much harder to start at "series B". SDLC? Same. Share accounts until "series A"? I like how their product category, "RASP", is assigned "seed" stage, though.
3. It's not internally consistent, or, at least, to make it internally consistent you would have to make silly decisions. For instance: use 2FA where possible early, and later centralize authentication?
I feel like this list is unserious, and serves essentially the sole purpose of putting "RASP" on the "do now" agenda.
2FA on SaaS applications is free and easy, while centralising authentication is much harder - you need to manage an authentication platform instead of just using the application's own authentication.
Taken by itself the suggestion is odd, but in concert with the next entry "use password management software" it makes for a low-cost, zero management, higher security stance than not suggesting 2FA by itself. Noone should ever ignore the option to turn on 2FA.
https://news.ycombinator.com/item?id=16615593
In the year this has percolated with me, I've grown to actively dislike it. I have three major problems with it:
1. This cutesey "seed, A, B" triage scheme is misleading. In reality, you can break everything down into just two categories: "do it before product/market fit" and "do it after product/market fit" (or "now" and "later", or whatever you'd like to call them).
2. Most of what this list defers to later phases shouldn't be deferred --- or at least, if you're going to do it at all, there's benefit to doing it early. Monitoring computers? Much harder to start at "series B". SDLC? Same. Share accounts until "series A"? I like how their product category, "RASP", is assigned "seed" stage, though.
3. It's not internally consistent, or, at least, to make it internally consistent you would have to make silly decisions. For instance: use 2FA where possible early, and later centralize authentication?
I feel like this list is unserious, and serves essentially the sole purpose of putting "RASP" on the "do now" agenda.