Providing a security plan for a client [on hold]As a developer, how can I ask for more freedom when confronted with a tight IT security policy?Acceptable for new hire to bring up bad security practices, or “go with the flow”?Is it common for software development jobs to prioritise speed over security (or lack thereof)?
Did Snape really give Umbridge a fake Veritaserum potion that Harry later pretended to drink?
Construction of the word подтвержда́ть
Blood-based alcohol for vampires?
Performance of loop vs expansion
Versicle and response symbols
Why is the saxophone not common in classical repertoire?
How to travel between two stationary worlds in the least amount of time? (time dilation)
If a creature is blocking and it has vigilance does it still tap?
Magento 2: I am not aware about magneto optimization. Can you please share the steps for this?
Where is read command?
Puzzling Knight has a Message for all- Especially Newcomers
Which high-degree derivatives play an essential role?
gzip compress a local folder and extract it to remote server
Is there any connection between "Whispers of the heart" and "The cat returns"?
Is it possible that Curiosity measured its own methane or failed doing the spectrometry?
3D nonogram – What's going on?
Can I deep fry food in butter instead of vegetable oil?
Who pays for increased security measures on flights to the US?
"Best practices" for formulating MIPs
Olive oil in Japanese cooking
Which are more efficient in putting out wildfires: planes or helicopters?
Are the plates of a battery really charged?
Was Wolfgang Unzicker the last Amateur GM?
Auto replacement of characters
Providing a security plan for a client [on hold]
As a developer, how can I ask for more freedom when confronted with a tight IT security policy?Acceptable for new hire to bring up bad security practices, or “go with the flow”?Is it common for software development jobs to prioritise speed over security (or lack thereof)?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I started a small business that provides a web application to clients, and a new customer asked for a security plan. I've never written one before.
I understand that security plans can vary in breadth and depth, depending on the service provided and the customer's needs. For my case, we are a small shop with a fairly simple CRUD web app, and the size of the contract is ~$10K, which is for a local municipality.
I can write something up to let them know that we are using an up to date web framework/SSL/database/VPN's, and that we are monitoring all services and user-generated content.
What are some best practices that can assist me?
How can I interpret the customer's needs in their request?
Updates:
- renamed "security profile" to "security plan" for better clarity.
- emphasized that I am looking for examples of software security plans, and guides to these plans, instead of just responding with an email.
- emphasized that I am looking for a guide or example of how to write a SaaS security plan, which fits the common pattern of a web application backed by a database.
- Updated with the Software Security Plan that I found here: http://sunguidesoftware.com/sunguidesoftware/documentlibrary/ReadingRoom/ProjectDocuments/Process%20Document%20-%2015809/SunGuideSMD-SSP-1%200%200(WorkingFinal).pdf but it's for a traffic surveillance system, which is quite different than a web application...
contracts security security-clearance government
edited 16 mins ago
Anthony
6,26916 silver badges62 bronze badges
asked 2 days ago
mrNiceGuymrNiceGuy
3973 silver badges10 bronze badges
put on hold as too broad by Dukeling, gnat, Solar Mike, Jay, Malisbad yesterday
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
I started a small business that provides a web application to clients, and a new customer asked for a security plan. I've never written one before.
I understand that security plans can vary in breadth and depth, depending on the service provided and the customer's needs. For my case, we are a small shop with a fairly simple CRUD web app, and the size of the contract is ~$10K, which is for a local municipality.
I can write something up to let them know that we are using an up to date web framework/SSL/database/VPN's, and that we are monitoring all services and user-generated content.
What are some best practices that can assist me?
How can I interpret the customer's needs in their request?
Updates:
- renamed "security profile" to "security plan" for better clarity.
- emphasized that I am looking for examples of software security plans, and guides to these plans, instead of just responding with an email.
- emphasized that I am looking for a guide or example of how to write a SaaS security plan, which fits the common pattern of a web application backed by a database.
- Updated with the Software Security Plan that I found here: http://sunguidesoftware.com/sunguidesoftware/documentlibrary/ReadingRoom/ProjectDocuments/Process%20Document%20-%2015809/SunGuideSMD-SSP-1%200%200(WorkingFinal).pdf but it's for a traffic surveillance system, which is quite different than a web application...
contracts security security-clearance government
edited 16 mins ago
Anthony
6,26916 silver badges62 bronze badges
asked 2 days ago
mrNiceGuymrNiceGuy
3973 silver badges10 bronze badges
put on hold as too broad by Dukeling, gnat, Solar Mike, Jay, Malisbad yesterday
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
Is there any reason why this received a close vote?
– mrNiceGuy
2 days ago
2
This is usually called a security plan not a security profile. If you google “How to write a security plan,” you will see many excellent resources.
– Ernest Friedman-Hill
2 days ago
2
Far too technical for The Workplace so a comment rather than an answer: running on AWS does not make your system more secure than running it anywhere else (it doesn't make it less secure either). Don't include that in a plan unless you can show that you understand the shared security model.
– Philip Kendall
2 days ago
1
Here are some things that clients will want to see addressed in your plan: moodysanalytics.com/-/media/whitepaper/2018/…
– Joe Strazzere
yesterday
Meta discussion to reopen at this link - workplace.meta.stackexchange.com/questions/6208/…
– Anthony
9 mins ago
add a comment |
I started a small business that provides a web application to clients, and a new customer asked for a security plan. I've never written one before.
I understand that security plans can vary in breadth and depth, depending on the service provided and the customer's needs. For my case, we are a small shop with a fairly simple CRUD web app, and the size of the contract is ~$10K, which is for a local municipality.
I can write something up to let them know that we are using an up to date web framework/SSL/database/VPN's, and that we are monitoring all services and user-generated content.
What are some best practices that can assist me?
How can I interpret the customer's needs in their request?
Updates:
- renamed "security profile" to "security plan" for better clarity.
- emphasized that I am looking for examples of software security plans, and guides to these plans, instead of just responding with an email.
- emphasized that I am looking for a guide or example of how to write a SaaS security plan, which fits the common pattern of a web application backed by a database.
- Updated with the Software Security Plan that I found here: http://sunguidesoftware.com/sunguidesoftware/documentlibrary/ReadingRoom/ProjectDocuments/Process%20Document%20-%2015809/SunGuideSMD-SSP-1%200%200(WorkingFinal).pdf but it's for a traffic surveillance system, which is quite different than a web application...
contracts security security-clearance government
edited 16 mins ago
Anthony
6,26916 silver badges62 bronze badges
asked 2 days ago
mrNiceGuymrNiceGuy
3973 silver badges10 bronze badges
I started a small business that provides a web application to clients, and a new customer asked for a security plan. I've never written one before.
I understand that security plans can vary in breadth and depth, depending on the service provided and the customer's needs. For my case, we are a small shop with a fairly simple CRUD web app, and the size of the contract is ~$10K, which is for a local municipality.
I can write something up to let them know that we are using an up to date web framework/SSL/database/VPN's, and that we are monitoring all services and user-generated content.
What are some best practices that can assist me?
How can I interpret the customer's needs in their request?
Updates:
- renamed "security profile" to "security plan" for better clarity.
- emphasized that I am looking for examples of software security plans, and guides to these plans, instead of just responding with an email.
- emphasized that I am looking for a guide or example of how to write a SaaS security plan, which fits the common pattern of a web application backed by a database.
- Updated with the Software Security Plan that I found here: http://sunguidesoftware.com/sunguidesoftware/documentlibrary/ReadingRoom/ProjectDocuments/Process%20Document%20-%2015809/SunGuideSMD-SSP-1%200%200(WorkingFinal).pdf but it's for a traffic surveillance system, which is quite different than a web application...
contracts security security-clearance government
contracts security security-clearance government
edited 16 mins ago
Anthony
6,26916 silver badges62 bronze badges
asked 2 days ago
mrNiceGuymrNiceGuy
3973 silver badges10 bronze badges
edited 16 mins ago
Anthony
6,26916 silver badges62 bronze badges
asked 2 days ago
mrNiceGuymrNiceGuy
3973 silver badges10 bronze badges
edited 16 mins ago
Anthony
6,26916 silver badges62 bronze badges
edited 16 mins ago
Anthony
6,26916 silver badges62 bronze badges
edited 16 mins ago
Anthony
6,26916 silver badges62 bronze badges
6,26916 silver badges62 bronze badges
asked 2 days ago
mrNiceGuymrNiceGuy
3973 silver badges10 bronze badges
asked 2 days ago
mrNiceGuymrNiceGuy
3973 silver badges10 bronze badges
asked 2 days ago
mrNiceGuymrNiceGuy
3973 silver badges10 bronze badges
3973 silver badges10 bronze badges
put on hold as too broad by Dukeling, gnat, Solar Mike, Jay, Malisbad yesterday
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
put on hold as too broad by Dukeling, gnat, Solar Mike, Jay, Malisbad yesterday
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
Is there any reason why this received a close vote?
– mrNiceGuy
2 days ago
2
This is usually called a security plan not a security profile. If you google “How to write a security plan,” you will see many excellent resources.
– Ernest Friedman-Hill
2 days ago
2
Far too technical for The Workplace so a comment rather than an answer: running on AWS does not make your system more secure than running it anywhere else (it doesn't make it less secure either). Don't include that in a plan unless you can show that you understand the shared security model.
– Philip Kendall
2 days ago
1
Here are some things that clients will want to see addressed in your plan: moodysanalytics.com/-/media/whitepaper/2018/…
– Joe Strazzere
yesterday
Meta discussion to reopen at this link - workplace.meta.stackexchange.com/questions/6208/…
– Anthony
9 mins ago
add a comment |
Is there any reason why this received a close vote?
– mrNiceGuy
2 days ago
2
This is usually called a security plan not a security profile. If you google “How to write a security plan,” you will see many excellent resources.
– Ernest Friedman-Hill
2 days ago
2
Far too technical for The Workplace so a comment rather than an answer: running on AWS does not make your system more secure than running it anywhere else (it doesn't make it less secure either). Don't include that in a plan unless you can show that you understand the shared security model.
– Philip Kendall
2 days ago
1
Here are some things that clients will want to see addressed in your plan: moodysanalytics.com/-/media/whitepaper/2018/…
– Joe Strazzere
yesterday
Meta discussion to reopen at this link - workplace.meta.stackexchange.com/questions/6208/…
– Anthony
9 mins ago
Is there any reason why this received a close vote?
– mrNiceGuy
2 days ago
Is there any reason why this received a close vote?
– mrNiceGuy
2 days ago
2
2
This is usually called a security plan not a security profile. If you google “How to write a security plan,” you will see many excellent resources.
– Ernest Friedman-Hill
2 days ago
This is usually called a security plan not a security profile. If you google “How to write a security plan,” you will see many excellent resources.
– Ernest Friedman-Hill
2 days ago
2
2
Far too technical for The Workplace so a comment rather than an answer: running on AWS does not make your system more secure than running it anywhere else (it doesn't make it less secure either). Don't include that in a plan unless you can show that you understand the shared security model.
– Philip Kendall
2 days ago
Far too technical for The Workplace so a comment rather than an answer: running on AWS does not make your system more secure than running it anywhere else (it doesn't make it less secure either). Don't include that in a plan unless you can show that you understand the shared security model.
– Philip Kendall
2 days ago
1
1
Here are some things that clients will want to see addressed in your plan: moodysanalytics.com/-/media/whitepaper/2018/…
– Joe Strazzere
yesterday
Here are some things that clients will want to see addressed in your plan: moodysanalytics.com/-/media/whitepaper/2018/…
– Joe Strazzere
yesterday
Meta discussion to reopen at this link - workplace.meta.stackexchange.com/questions/6208/…
– Anthony
9 mins ago
Meta discussion to reopen at this link - workplace.meta.stackexchange.com/questions/6208/…
– Anthony
9 mins ago
add a comment |
2 Answers
2
active
oldest
votes
I am certainly not an expert on the topic, but have had to write and contribute to several security plans. Generally, what you want is a formal report, whose size is commensurate with the complexity of your operations; a plan can range from ten pages to hundreds.
The introduction should discuss your overall architecture. The meat of the report should identify all the possible risks you can think of (relating to hacking, data loss by physical disaster, etc,) your intended responses to them or mitigation strategies, and rules and procedures that ensure the responses and strategies are implemented. Basically you want to show that you’ve identified all the foreseeable risks to your clients, and have plans in place for minimizing them.
Googling “how to write a security plan” gives plenty of results.
answered 2 days ago
Ernest Friedman-HillErnest Friedman-Hill
4,1462 gold badges20 silver badges25 bronze badges
Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...
– mrNiceGuy
2 days ago
@mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.
– Joe Strazzere
2 days ago
1
I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.
– Ernest Friedman-Hill
2 days ago
1
Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.
– Justin
yesterday
1
@mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.
– Joe Strazzere
yesterday
|
show 3 more comments
Find out what the client’s expectations really are, and manage them. There's a world of difference between downtime measured in milliseconds, which every client wants, and downtime of a few days, which is what a $10k client will probably accept when the find out how expensive the former is.
Aside - upsell. What did they actually pay the $10k for? What else can you sell them?
Practical Suggestions
Are there any examples of a security plan from a SaaS provider -
specifically for a web app?
No - you'll have to write one.
As a starting point, Google “Owasp” and “Troy Hunt”, which will give you the top 10(?) common ways to hack a website. Write some test code/scripts to do this against your own site, then format the results: Attack / Solution / Results into a document.
This is the most basic kind of penetration test, and you should really be engaging a specialist company to do this for you (don’t though; it’ll cost a good chunk of that $10k).
...and availability of your site ...
You’re probably not hosting this app on your own servers, instead using a hosting provider. Have a look at their policy for how they guarantee uptime (or email and ask), and include that in your response to the client. ( if you are self hosting, you’re probably making a lot more work for yourself, as you lack the infrastructure for high availability/ failover)
answered yesterday
JustinJustin
3,7221 gold badge8 silver badges19 bronze badges
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I am certainly not an expert on the topic, but have had to write and contribute to several security plans. Generally, what you want is a formal report, whose size is commensurate with the complexity of your operations; a plan can range from ten pages to hundreds.
The introduction should discuss your overall architecture. The meat of the report should identify all the possible risks you can think of (relating to hacking, data loss by physical disaster, etc,) your intended responses to them or mitigation strategies, and rules and procedures that ensure the responses and strategies are implemented. Basically you want to show that you’ve identified all the foreseeable risks to your clients, and have plans in place for minimizing them.
Googling “how to write a security plan” gives plenty of results.
answered 2 days ago
Ernest Friedman-HillErnest Friedman-Hill
4,1462 gold badges20 silver badges25 bronze badges
Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...
– mrNiceGuy
2 days ago
@mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.
– Joe Strazzere
2 days ago
1
I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.
– Ernest Friedman-Hill
2 days ago
1
Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.
– Justin
yesterday
1
@mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.
– Joe Strazzere
yesterday
|
show 3 more comments
I am certainly not an expert on the topic, but have had to write and contribute to several security plans. Generally, what you want is a formal report, whose size is commensurate with the complexity of your operations; a plan can range from ten pages to hundreds.
The introduction should discuss your overall architecture. The meat of the report should identify all the possible risks you can think of (relating to hacking, data loss by physical disaster, etc,) your intended responses to them or mitigation strategies, and rules and procedures that ensure the responses and strategies are implemented. Basically you want to show that you’ve identified all the foreseeable risks to your clients, and have plans in place for minimizing them.
Googling “how to write a security plan” gives plenty of results.
answered 2 days ago
Ernest Friedman-HillErnest Friedman-Hill
4,1462 gold badges20 silver badges25 bronze badges
Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...
– mrNiceGuy
2 days ago
@mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.
– Joe Strazzere
2 days ago
1
I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.
– Ernest Friedman-Hill
2 days ago
1
Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.
– Justin
yesterday
1
@mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.
– Joe Strazzere
yesterday
|
show 3 more comments
I am certainly not an expert on the topic, but have had to write and contribute to several security plans. Generally, what you want is a formal report, whose size is commensurate with the complexity of your operations; a plan can range from ten pages to hundreds.
The introduction should discuss your overall architecture. The meat of the report should identify all the possible risks you can think of (relating to hacking, data loss by physical disaster, etc,) your intended responses to them or mitigation strategies, and rules and procedures that ensure the responses and strategies are implemented. Basically you want to show that you’ve identified all the foreseeable risks to your clients, and have plans in place for minimizing them.
Googling “how to write a security plan” gives plenty of results.
answered 2 days ago
Ernest Friedman-HillErnest Friedman-Hill
4,1462 gold badges20 silver badges25 bronze badges
I am certainly not an expert on the topic, but have had to write and contribute to several security plans. Generally, what you want is a formal report, whose size is commensurate with the complexity of your operations; a plan can range from ten pages to hundreds.
The introduction should discuss your overall architecture. The meat of the report should identify all the possible risks you can think of (relating to hacking, data loss by physical disaster, etc,) your intended responses to them or mitigation strategies, and rules and procedures that ensure the responses and strategies are implemented. Basically you want to show that you’ve identified all the foreseeable risks to your clients, and have plans in place for minimizing them.
Googling “how to write a security plan” gives plenty of results.
answered 2 days ago
Ernest Friedman-HillErnest Friedman-Hill
4,1462 gold badges20 silver badges25 bronze badges
answered 2 days ago
Ernest Friedman-HillErnest Friedman-Hill
4,1462 gold badges20 silver badges25 bronze badges
answered 2 days ago
Ernest Friedman-HillErnest Friedman-Hill
4,1462 gold badges20 silver badges25 bronze badges
answered 2 days ago
Ernest Friedman-HillErnest Friedman-Hill
4,1462 gold badges20 silver badges25 bronze badges
4,1462 gold badges20 silver badges25 bronze badges
Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...
– mrNiceGuy
2 days ago
@mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.
– Joe Strazzere
2 days ago
1
I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.
– Ernest Friedman-Hill
2 days ago
1
Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.
– Justin
yesterday
1
@mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.
– Joe Strazzere
yesterday
|
show 3 more comments
Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...
– mrNiceGuy
2 days ago
@mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.
– Joe Strazzere
2 days ago
1
I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.
– Ernest Friedman-Hill
2 days ago
1
Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.
– Justin
yesterday
1
@mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.
– Joe Strazzere
yesterday
Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...
– mrNiceGuy
2 days ago
Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...
– mrNiceGuy
2 days ago
@mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.
– Joe Strazzere
2 days ago
@mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.
– Joe Strazzere
2 days ago
1
1
I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.
– Ernest Friedman-Hill
2 days ago
I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.
– Ernest Friedman-Hill
2 days ago
1
1
Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.
– Justin
yesterday
Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.
– Justin
yesterday
1
1
@mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.
– Joe Strazzere
yesterday
@mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.
– Joe Strazzere
yesterday
|
show 3 more comments
Find out what the client’s expectations really are, and manage them. There's a world of difference between downtime measured in milliseconds, which every client wants, and downtime of a few days, which is what a $10k client will probably accept when the find out how expensive the former is.
Aside - upsell. What did they actually pay the $10k for? What else can you sell them?
Practical Suggestions
Are there any examples of a security plan from a SaaS provider -
specifically for a web app?
No - you'll have to write one.
As a starting point, Google “Owasp” and “Troy Hunt”, which will give you the top 10(?) common ways to hack a website. Write some test code/scripts to do this against your own site, then format the results: Attack / Solution / Results into a document.
This is the most basic kind of penetration test, and you should really be engaging a specialist company to do this for you (don’t though; it’ll cost a good chunk of that $10k).
...and availability of your site ...
You’re probably not hosting this app on your own servers, instead using a hosting provider. Have a look at their policy for how they guarantee uptime (or email and ask), and include that in your response to the client. ( if you are self hosting, you’re probably making a lot more work for yourself, as you lack the infrastructure for high availability/ failover)
answered yesterday
JustinJustin
3,7221 gold badge8 silver badges19 bronze badges
add a comment |
Find out what the client’s expectations really are, and manage them. There's a world of difference between downtime measured in milliseconds, which every client wants, and downtime of a few days, which is what a $10k client will probably accept when the find out how expensive the former is.
Aside - upsell. What did they actually pay the $10k for? What else can you sell them?
Practical Suggestions
Are there any examples of a security plan from a SaaS provider -
specifically for a web app?
No - you'll have to write one.
As a starting point, Google “Owasp” and “Troy Hunt”, which will give you the top 10(?) common ways to hack a website. Write some test code/scripts to do this against your own site, then format the results: Attack / Solution / Results into a document.
This is the most basic kind of penetration test, and you should really be engaging a specialist company to do this for you (don’t though; it’ll cost a good chunk of that $10k).
...and availability of your site ...
You’re probably not hosting this app on your own servers, instead using a hosting provider. Have a look at their policy for how they guarantee uptime (or email and ask), and include that in your response to the client. ( if you are self hosting, you’re probably making a lot more work for yourself, as you lack the infrastructure for high availability/ failover)
answered yesterday
JustinJustin
3,7221 gold badge8 silver badges19 bronze badges
add a comment |
Find out what the client’s expectations really are, and manage them. There's a world of difference between downtime measured in milliseconds, which every client wants, and downtime of a few days, which is what a $10k client will probably accept when the find out how expensive the former is.
Aside - upsell. What did they actually pay the $10k for? What else can you sell them?
Practical Suggestions
Are there any examples of a security plan from a SaaS provider -
specifically for a web app?
No - you'll have to write one.
As a starting point, Google “Owasp” and “Troy Hunt”, which will give you the top 10(?) common ways to hack a website. Write some test code/scripts to do this against your own site, then format the results: Attack / Solution / Results into a document.
This is the most basic kind of penetration test, and you should really be engaging a specialist company to do this for you (don’t though; it’ll cost a good chunk of that $10k).
...and availability of your site ...
You’re probably not hosting this app on your own servers, instead using a hosting provider. Have a look at their policy for how they guarantee uptime (or email and ask), and include that in your response to the client. ( if you are self hosting, you’re probably making a lot more work for yourself, as you lack the infrastructure for high availability/ failover)
answered yesterday
JustinJustin
3,7221 gold badge8 silver badges19 bronze badges
Find out what the client’s expectations really are, and manage them. There's a world of difference between downtime measured in milliseconds, which every client wants, and downtime of a few days, which is what a $10k client will probably accept when the find out how expensive the former is.
Aside - upsell. What did they actually pay the $10k for? What else can you sell them?
Practical Suggestions
Are there any examples of a security plan from a SaaS provider -
specifically for a web app?
No - you'll have to write one.
As a starting point, Google “Owasp” and “Troy Hunt”, which will give you the top 10(?) common ways to hack a website. Write some test code/scripts to do this against your own site, then format the results: Attack / Solution / Results into a document.
This is the most basic kind of penetration test, and you should really be engaging a specialist company to do this for you (don’t though; it’ll cost a good chunk of that $10k).
...and availability of your site ...
You’re probably not hosting this app on your own servers, instead using a hosting provider. Have a look at their policy for how they guarantee uptime (or email and ask), and include that in your response to the client. ( if you are self hosting, you’re probably making a lot more work for yourself, as you lack the infrastructure for high availability/ failover)
answered yesterday
JustinJustin
3,7221 gold badge8 silver badges19 bronze badges
edited yesterday
answered yesterday
JustinJustin
3,7221 gold badge8 silver badges19 bronze badges
answered yesterday
JustinJustin
3,7221 gold badge8 silver badges19 bronze badges
answered yesterday
JustinJustin
3,7221 gold badge8 silver badges19 bronze badges
3,7221 gold badge8 silver badges19 bronze badges
add a comment |
add a comment |
Is there any reason why this received a close vote?
– mrNiceGuy
2 days ago
2
This is usually called a security plan not a security profile. If you google “How to write a security plan,” you will see many excellent resources.
– Ernest Friedman-Hill
2 days ago
2
Far too technical for The Workplace so a comment rather than an answer: running on AWS does not make your system more secure than running it anywhere else (it doesn't make it less secure either). Don't include that in a plan unless you can show that you understand the shared security model.
– Philip Kendall
2 days ago
1
Here are some things that clients will want to see addressed in your plan: moodysanalytics.com/-/media/whitepaper/2018/…
– Joe Strazzere
yesterday
Meta discussion to reopen at this link - workplace.meta.stackexchange.com/questions/6208/…
– Anthony
9 mins ago