If you broke the practice of securing a company into software security, network/platform security, and corpsec, I think the proper prioritization from an engineering perspective would be corpsec > software security > network/platform security.
Thankfully, this checklist doesn't lead startups into a quagmire of stupid network security tools, scanners, and assessments. But it also leaves out corpsec almost completely ("single signon" is an application security control in the checklist, which wildly misses the point), so we'll call that a wash.
What I'll say is that if you're concerned about closing deals and filling out checklists, the appsec controls here aren't going to move the dials much for you, and the corpsec stuff that it's missing is going to trip you up. I'm not in love with it.
Also: for most companies, you're going to want to be well past product-market fit before you start engaging consultants to assess your code. Most startups are well past 30 engineers before they have their first serious assessment. Crappy assessments can hurt as much as they help, and they're the kind you get if you're shopping for $5k-10k pentests while delivering with 5 engineers.
With your excellent corp/software/net breakdown, this feels like it isn't actually aimed at a company-wide level. This feels like it's aimed at a product engineering leader who has no real power over the real corpsec concerns - like if the company uses SSO - but real power over the product itself.
I suppose it makes sense in a context where someone else is handling corpsec adequately, but if that's the idea then it's not very well explained.
Software security is vulnerability research conducted on the software you ship. The OWASP Top 10 is a software security artifact. Some people call this "appsec", though that tends to imply web software security, which is just a subset of software security.
Network/platform security is network access control rules, host configuration, to some extent cloud IAM†, and patching.
CorpSec is the stuff you do to address attacks targeted at your team and the computers and services you use to keep the company running --- laptop and endpoint security, Google Apps 2FA, single sign-on, onboarding/offboarding, and that kind of stuff.
† IAM and cloud access/monitoring can kind of bleed into both of the other buckets depending on the aspects you're thinking about, but like 80% of it belongs in the net/platform bucket for most companies.
Thankfully, this checklist doesn't lead startups into a quagmire of stupid network security tools, scanners, and assessments. But it also leaves out corpsec almost completely ("single signon" is an application security control in the checklist, which wildly misses the point), so we'll call that a wash.
What I'll say is that if you're concerned about closing deals and filling out checklists, the appsec controls here aren't going to move the dials much for you, and the corpsec stuff that it's missing is going to trip you up. I'm not in love with it.
Also: for most companies, you're going to want to be well past product-market fit before you start engaging consultants to assess your code. Most startups are well past 30 engineers before they have their first serious assessment. Crappy assessments can hurt as much as they help, and they're the kind you get if you're shopping for $5k-10k pentests while delivering with 5 engineers.