How We Secure Recroot Without Spending Thousands on Security Tools

by•

One challenge we faced while building Recroot:

We store candidate/user videos, interview recordings, resumes, and personal information.

Like most startups, we don't have an unlimited security budget.

But that doesn't change our responsibility to protect user data.

So we started by asking:

"What are the biggest risks to an AI hiring platform?"

We identified five key areas:

🔹 Vulnerabilities in our own code
🔹 Hackers exploiting the website or mobile app
🔹 Supply-chain attacks through third-party packages
🔹 LLM prompt injection and AI misuse
🔹 Unknown weaknesses that automated tools might miss

Then we looked for practical ways to reduce those risks without spending thousands of dollars every month.

Here's what we use today:

Semgrep Community Edition

  • Scans our code for common security vulnerabilities

  • Runs as part of our development process

  • Helps identify insecure coding patterns before deployment

Developer Security Reviews

  • Every feature undergoes security checks before release

  • Authentication, authorization, and sensitive data handling are reviewed during development

Secure Pull Request Process

  • Security findings must be reviewed and addressed before code is merged

  • Code is not pushed to production until identified issues are resolved

OWASP ZAP

  • Scans the running application for common web vulnerabilities

  • Helps identify issues such as XSS, authentication weaknesses, and security misconfigurations

Cloudflare WAF

  • Provides an additional layer of protection in front of our applications

  • Helps block common web attacks, malicious bots, and suspicious traffic before they reach our infrastructure

  • Reduces exposure to automated attacks and exploitation attempts

GitHub Dependabot

  • Monitors open-source libraries and packages

  • Alerts us when known vulnerabilities are discovered in dependencies

  • Helps reduce software supply-chain risk

Gitleaks

  • Scans for accidentally exposed secrets, API keys, tokens, and credentials

  • Prevents sensitive information from being committed into source code repositories

Penetration Testing

  • We periodically perform manual penetration testing against the application.

  • This is the one security activity where we intentionally spend real money

  • Focus on authentication, authorization, API security, business logic flaws, and AI-specific attack scenarios

  • Helps identify weaknesses that automated scanners may miss

AI & LLM Security Controls

Because Recroot uses AI, we also focus on AI-specific risks:

  • Input validation and sanitisation

  • Prompt injection testing

  • Restricting access to sensitive functions

  • Limiting AI actions to approved workflows

  • Continuous monitoring of prompts and outputs

Are we perfect?

Of course not.

Security is never "finished."

But we've learned that good security isn't always about buying expensive tools.

It's often about understanding your risks, using the right controls, and making security part of your development process from day one.

Many startups think security starts when they become bigger.

We've found it's much easier and cheaper to build security in from the beginning.

Curious:

What free or low-cost security tools have become essential in your startup stack?


19 views

Add a comment

Replies

Be the first to comment