In your top level readme I believe you meant morale instead of moral.

For those who have come across this guide without a background in SaaS development, explaining the acronyms the first time they're used would help readability. Some are easily googled, while others seem very context sensitive.

Thanks for curating this document. I've learnt a lot from reading it.

I think you can improve the wording in this paragraph:

At this point you should already have automated testing, and (at least semi-) automatic of upgrading and downgrading production versions. The next step is to make sure the production system is immutable. Meaning, any change of code, database, toggles must go through change management (like a pull request, or similar system).

Do you mean to use the word immutable here?

If you are advocating for immutable - which does provide extra security - then I'd update the Meaning, any to Meaning a server that is once deployed, is never modified, merely replaced with a new updated instance. Any change of code, database, toggles must go through change management (like a pull request, or similar system)

https://martinfowler.com/bliki/ImmutableServer.html
https://martinfowler.com/bliki/PhoenixServer.html

Thanks,
Joe.

I just found a great checklist here. It would be good to incorporate something like it into this project.

The link on the Readme page leads to a 404 page. It is trying to load /master/security.md instead of /english/security.md

Hello. You have a typo.

"[email protected]" should be "[email protected]"

It should be security.md.

Great read by the way! Thanks for putting this together.

Linux users would require disk reformatting.

I understand that the tutorial is for basic users and it shouldn't cover things like dm-crypt, veracrypt etc, but the information cited above is not true and it's just spreading FUD across less technical users about Linux. There are a few ways to encrypt system or home folder for existing or future users. It's been widely supported for years now, eg. This tutorial is from 2012, official guide for existing disk encryption from Canonical from 2012, there are more sources and tutorials how to do it, but let's just assume that those are enough for basic users.

Awesome repo 👍
Unfortunately several images not found in security.md, can fix it?

There is a tradeoff between giving practical advice mentioning specific vendors and features, and being fair with all security vendors.

There are a few ideas I am struggling with:

1. Add a page per vendor. This is a place where we can add the top 10 tips for each vendor.
2. Add a page per use-case (for example 2FA providers). The problem here is that you would need to sort the vendors, those being on top benefiting more. It could also become a wikipedia-like editing battleground that I would like to avoid. We could have a poll, and I'll sort the list based on the poll, but that would require some vetting, and confidentiality as startups are reluctant to expose their security stack publicly. Confidentiality in turn might bring up trust issues as things are not being done out in the open.
3. Referring to external sites that measure up different vendors. This bring the question, which site ? I would like to be biased towards the selection of vendors that startups can use, and not just enterprise customers use.