Providing a security plan for a client [on hold]As a developer, how can I ask for more freedom when confronted with a tight IT security policy?Acceptable for new hire to bring up bad security practices, or “go with the flow”?Is it common for software development jobs to prioritise speed over security (or lack thereof)?

Did Snape really give Umbridge a fake Veritaserum potion that Harry later pretended to drink?

Construction of the word подтвержда́ть

Blood-based alcohol for vampires?

Performance of loop vs expansion

Versicle and response symbols

Why is the saxophone not common in classical repertoire?

How to travel between two stationary worlds in the least amount of time? (time dilation)

If a creature is blocking and it has vigilance does it still tap?

Magento 2: I am not aware about magneto optimization. Can you please share the steps for this?

Where is read command?

Puzzling Knight has a Message for all- Especially Newcomers

Which high-degree derivatives play an essential role?

gzip compress a local folder and extract it to remote server

Is there any connection between "Whispers of the heart" and "The cat returns"?

Is it possible that Curiosity measured its own methane or failed doing the spectrometry?

3D nonogram – What's going on?

Can I deep fry food in butter instead of vegetable oil?

Who pays for increased security measures on flights to the US?

"Best practices" for formulating MIPs

Olive oil in Japanese cooking

Which are more efficient in putting out wildfires: planes or helicopters?

Are the plates of a battery really charged?

Was Wolfgang Unzicker the last Amateur GM?

Auto replacement of characters



Providing a security plan for a client [on hold]


As a developer, how can I ask for more freedom when confronted with a tight IT security policy?Acceptable for new hire to bring up bad security practices, or “go with the flow”?Is it common for software development jobs to prioritise speed over security (or lack thereof)?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















I started a small business that provides a web application to clients, and a new customer asked for a security plan. I've never written one before.



I understand that security plans can vary in breadth and depth, depending on the service provided and the customer's needs. For my case, we are a small shop with a fairly simple CRUD web app, and the size of the contract is ~$10K, which is for a local municipality.



I can write something up to let them know that we are using an up to date web framework/SSL/database/VPN's, and that we are monitoring all services and user-generated content.




  • What are some best practices that can assist me?


  • How can I interpret the customer's needs in their request?





Updates:



  • renamed "security profile" to "security plan" for better clarity.

  • emphasized that I am looking for examples of software security plans, and guides to these plans, instead of just responding with an email.

  • emphasized that I am looking for a guide or example of how to write a SaaS security plan, which fits the common pattern of a web application backed by a database.

  • Updated with the Software Security Plan that I found here: http://sunguidesoftware.com/sunguidesoftware/documentlibrary/ReadingRoom/ProjectDocuments/Process%20Document%20-%2015809/SunGuideSMD-SSP-1%200%200(WorkingFinal).pdf but it's for a traffic surveillance system, which is quite different than a web application...









share|improve this question















put on hold as too broad by Dukeling, gnat, Solar Mike, Jay, Malisbad yesterday


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.


















  • Is there any reason why this received a close vote?

    – mrNiceGuy
    2 days ago






  • 2





    This is usually called a security plan not a security profile. If you google “How to write a security plan,” you will see many excellent resources.

    – Ernest Friedman-Hill
    2 days ago






  • 2





    Far too technical for The Workplace so a comment rather than an answer: running on AWS does not make your system more secure than running it anywhere else (it doesn't make it less secure either). Don't include that in a plan unless you can show that you understand the shared security model.

    – Philip Kendall
    2 days ago






  • 1





    Here are some things that clients will want to see addressed in your plan: moodysanalytics.com/-/media/whitepaper/2018/…

    – Joe Strazzere
    yesterday











  • Meta discussion to reopen at this link - workplace.meta.stackexchange.com/questions/6208/…

    – Anthony
    9 mins ago


















0















I started a small business that provides a web application to clients, and a new customer asked for a security plan. I've never written one before.



I understand that security plans can vary in breadth and depth, depending on the service provided and the customer's needs. For my case, we are a small shop with a fairly simple CRUD web app, and the size of the contract is ~$10K, which is for a local municipality.



I can write something up to let them know that we are using an up to date web framework/SSL/database/VPN's, and that we are monitoring all services and user-generated content.




  • What are some best practices that can assist me?


  • How can I interpret the customer's needs in their request?





Updates:



  • renamed "security profile" to "security plan" for better clarity.

  • emphasized that I am looking for examples of software security plans, and guides to these plans, instead of just responding with an email.

  • emphasized that I am looking for a guide or example of how to write a SaaS security plan, which fits the common pattern of a web application backed by a database.

  • Updated with the Software Security Plan that I found here: http://sunguidesoftware.com/sunguidesoftware/documentlibrary/ReadingRoom/ProjectDocuments/Process%20Document%20-%2015809/SunGuideSMD-SSP-1%200%200(WorkingFinal).pdf but it's for a traffic surveillance system, which is quite different than a web application...









share|improve this question















put on hold as too broad by Dukeling, gnat, Solar Mike, Jay, Malisbad yesterday


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.


















  • Is there any reason why this received a close vote?

    – mrNiceGuy
    2 days ago






  • 2





    This is usually called a security plan not a security profile. If you google “How to write a security plan,” you will see many excellent resources.

    – Ernest Friedman-Hill
    2 days ago






  • 2





    Far too technical for The Workplace so a comment rather than an answer: running on AWS does not make your system more secure than running it anywhere else (it doesn't make it less secure either). Don't include that in a plan unless you can show that you understand the shared security model.

    – Philip Kendall
    2 days ago






  • 1





    Here are some things that clients will want to see addressed in your plan: moodysanalytics.com/-/media/whitepaper/2018/…

    – Joe Strazzere
    yesterday











  • Meta discussion to reopen at this link - workplace.meta.stackexchange.com/questions/6208/…

    – Anthony
    9 mins ago














0












0








0








I started a small business that provides a web application to clients, and a new customer asked for a security plan. I've never written one before.



I understand that security plans can vary in breadth and depth, depending on the service provided and the customer's needs. For my case, we are a small shop with a fairly simple CRUD web app, and the size of the contract is ~$10K, which is for a local municipality.



I can write something up to let them know that we are using an up to date web framework/SSL/database/VPN's, and that we are monitoring all services and user-generated content.




  • What are some best practices that can assist me?


  • How can I interpret the customer's needs in their request?





Updates:



  • renamed "security profile" to "security plan" for better clarity.

  • emphasized that I am looking for examples of software security plans, and guides to these plans, instead of just responding with an email.

  • emphasized that I am looking for a guide or example of how to write a SaaS security plan, which fits the common pattern of a web application backed by a database.

  • Updated with the Software Security Plan that I found here: http://sunguidesoftware.com/sunguidesoftware/documentlibrary/ReadingRoom/ProjectDocuments/Process%20Document%20-%2015809/SunGuideSMD-SSP-1%200%200(WorkingFinal).pdf but it's for a traffic surveillance system, which is quite different than a web application...









share|improve this question
















I started a small business that provides a web application to clients, and a new customer asked for a security plan. I've never written one before.



I understand that security plans can vary in breadth and depth, depending on the service provided and the customer's needs. For my case, we are a small shop with a fairly simple CRUD web app, and the size of the contract is ~$10K, which is for a local municipality.



I can write something up to let them know that we are using an up to date web framework/SSL/database/VPN's, and that we are monitoring all services and user-generated content.




  • What are some best practices that can assist me?


  • How can I interpret the customer's needs in their request?





Updates:



  • renamed "security profile" to "security plan" for better clarity.

  • emphasized that I am looking for examples of software security plans, and guides to these plans, instead of just responding with an email.

  • emphasized that I am looking for a guide or example of how to write a SaaS security plan, which fits the common pattern of a web application backed by a database.

  • Updated with the Software Security Plan that I found here: http://sunguidesoftware.com/sunguidesoftware/documentlibrary/ReadingRoom/ProjectDocuments/Process%20Document%20-%2015809/SunGuideSMD-SSP-1%200%200(WorkingFinal).pdf but it's for a traffic surveillance system, which is quite different than a web application...






contracts security security-clearance government






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 16 mins ago









Anthony

6,26916 silver badges62 bronze badges




6,26916 silver badges62 bronze badges










asked 2 days ago









mrNiceGuymrNiceGuy

3973 silver badges10 bronze badges




3973 silver badges10 bronze badges




put on hold as too broad by Dukeling, gnat, Solar Mike, Jay, Malisbad yesterday


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.









put on hold as too broad by Dukeling, gnat, Solar Mike, Jay, Malisbad yesterday


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.














  • Is there any reason why this received a close vote?

    – mrNiceGuy
    2 days ago






  • 2





    This is usually called a security plan not a security profile. If you google “How to write a security plan,” you will see many excellent resources.

    – Ernest Friedman-Hill
    2 days ago






  • 2





    Far too technical for The Workplace so a comment rather than an answer: running on AWS does not make your system more secure than running it anywhere else (it doesn't make it less secure either). Don't include that in a plan unless you can show that you understand the shared security model.

    – Philip Kendall
    2 days ago






  • 1





    Here are some things that clients will want to see addressed in your plan: moodysanalytics.com/-/media/whitepaper/2018/…

    – Joe Strazzere
    yesterday











  • Meta discussion to reopen at this link - workplace.meta.stackexchange.com/questions/6208/…

    – Anthony
    9 mins ago


















  • Is there any reason why this received a close vote?

    – mrNiceGuy
    2 days ago






  • 2





    This is usually called a security plan not a security profile. If you google “How to write a security plan,” you will see many excellent resources.

    – Ernest Friedman-Hill
    2 days ago






  • 2





    Far too technical for The Workplace so a comment rather than an answer: running on AWS does not make your system more secure than running it anywhere else (it doesn't make it less secure either). Don't include that in a plan unless you can show that you understand the shared security model.

    – Philip Kendall
    2 days ago






  • 1





    Here are some things that clients will want to see addressed in your plan: moodysanalytics.com/-/media/whitepaper/2018/…

    – Joe Strazzere
    yesterday











  • Meta discussion to reopen at this link - workplace.meta.stackexchange.com/questions/6208/…

    – Anthony
    9 mins ago

















Is there any reason why this received a close vote?

– mrNiceGuy
2 days ago





Is there any reason why this received a close vote?

– mrNiceGuy
2 days ago




2




2





This is usually called a security plan not a security profile. If you google “How to write a security plan,” you will see many excellent resources.

– Ernest Friedman-Hill
2 days ago





This is usually called a security plan not a security profile. If you google “How to write a security plan,” you will see many excellent resources.

– Ernest Friedman-Hill
2 days ago




2




2





Far too technical for The Workplace so a comment rather than an answer: running on AWS does not make your system more secure than running it anywhere else (it doesn't make it less secure either). Don't include that in a plan unless you can show that you understand the shared security model.

– Philip Kendall
2 days ago





Far too technical for The Workplace so a comment rather than an answer: running on AWS does not make your system more secure than running it anywhere else (it doesn't make it less secure either). Don't include that in a plan unless you can show that you understand the shared security model.

– Philip Kendall
2 days ago




1




1





Here are some things that clients will want to see addressed in your plan: moodysanalytics.com/-/media/whitepaper/2018/…

– Joe Strazzere
yesterday





Here are some things that clients will want to see addressed in your plan: moodysanalytics.com/-/media/whitepaper/2018/…

– Joe Strazzere
yesterday













Meta discussion to reopen at this link - workplace.meta.stackexchange.com/questions/6208/…

– Anthony
9 mins ago






Meta discussion to reopen at this link - workplace.meta.stackexchange.com/questions/6208/…

– Anthony
9 mins ago











2 Answers
2






active

oldest

votes


















3














I am certainly not an expert on the topic, but have had to write and contribute to several security plans. Generally, what you want is a formal report, whose size is commensurate with the complexity of your operations; a plan can range from ten pages to hundreds.



The introduction should discuss your overall architecture. The meat of the report should identify all the possible risks you can think of (relating to hacking, data loss by physical disaster, etc,) your intended responses to them or mitigation strategies, and rules and procedures that ensure the responses and strategies are implemented. Basically you want to show that you’ve identified all the foreseeable risks to your clients, and have plans in place for minimizing them.



Googling “how to write a security plan” gives plenty of results.






share|improve this answer























  • Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...

    – mrNiceGuy
    2 days ago











  • @mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.

    – Joe Strazzere
    2 days ago






  • 1





    I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.

    – Ernest Friedman-Hill
    2 days ago






  • 1





    Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.

    – Justin
    yesterday






  • 1





    @mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.

    – Joe Strazzere
    yesterday



















0














Find out what the client’s expectations really are, and manage them. There's a world of difference between downtime measured in milliseconds, which every client wants, and downtime of a few days, which is what a $10k client will probably accept when the find out how expensive the former is.



Aside - upsell. What did they actually pay the $10k for? What else can you sell them?



Practical Suggestions




Are there any examples of a security plan from a SaaS provider -
specifically for a web app?




No - you'll have to write one.



As a starting point, Google “Owasp” and “Troy Hunt”, which will give you the top 10(?) common ways to hack a website. Write some test code/scripts to do this against your own site, then format the results: Attack / Solution / Results into a document.



This is the most basic kind of penetration test, and you should really be engaging a specialist company to do this for you (don’t though; it’ll cost a good chunk of that $10k).




...and availability of your site ...




You’re probably not hosting this app on your own servers, instead using a hosting provider. Have a look at their policy for how they guarantee uptime (or email and ask), and include that in your response to the client. ( if you are self hosting, you’re probably making a lot more work for yourself, as you lack the infrastructure for high availability/ failover)






share|improve this answer

































    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    3














    I am certainly not an expert on the topic, but have had to write and contribute to several security plans. Generally, what you want is a formal report, whose size is commensurate with the complexity of your operations; a plan can range from ten pages to hundreds.



    The introduction should discuss your overall architecture. The meat of the report should identify all the possible risks you can think of (relating to hacking, data loss by physical disaster, etc,) your intended responses to them or mitigation strategies, and rules and procedures that ensure the responses and strategies are implemented. Basically you want to show that you’ve identified all the foreseeable risks to your clients, and have plans in place for minimizing them.



    Googling “how to write a security plan” gives plenty of results.






    share|improve this answer























    • Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...

      – mrNiceGuy
      2 days ago











    • @mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.

      – Joe Strazzere
      2 days ago






    • 1





      I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.

      – Ernest Friedman-Hill
      2 days ago






    • 1





      Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.

      – Justin
      yesterday






    • 1





      @mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.

      – Joe Strazzere
      yesterday
















    3














    I am certainly not an expert on the topic, but have had to write and contribute to several security plans. Generally, what you want is a formal report, whose size is commensurate with the complexity of your operations; a plan can range from ten pages to hundreds.



    The introduction should discuss your overall architecture. The meat of the report should identify all the possible risks you can think of (relating to hacking, data loss by physical disaster, etc,) your intended responses to them or mitigation strategies, and rules and procedures that ensure the responses and strategies are implemented. Basically you want to show that you’ve identified all the foreseeable risks to your clients, and have plans in place for minimizing them.



    Googling “how to write a security plan” gives plenty of results.






    share|improve this answer























    • Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...

      – mrNiceGuy
      2 days ago











    • @mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.

      – Joe Strazzere
      2 days ago






    • 1





      I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.

      – Ernest Friedman-Hill
      2 days ago






    • 1





      Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.

      – Justin
      yesterday






    • 1





      @mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.

      – Joe Strazzere
      yesterday














    3












    3








    3







    I am certainly not an expert on the topic, but have had to write and contribute to several security plans. Generally, what you want is a formal report, whose size is commensurate with the complexity of your operations; a plan can range from ten pages to hundreds.



    The introduction should discuss your overall architecture. The meat of the report should identify all the possible risks you can think of (relating to hacking, data loss by physical disaster, etc,) your intended responses to them or mitigation strategies, and rules and procedures that ensure the responses and strategies are implemented. Basically you want to show that you’ve identified all the foreseeable risks to your clients, and have plans in place for minimizing them.



    Googling “how to write a security plan” gives plenty of results.






    share|improve this answer













    I am certainly not an expert on the topic, but have had to write and contribute to several security plans. Generally, what you want is a formal report, whose size is commensurate with the complexity of your operations; a plan can range from ten pages to hundreds.



    The introduction should discuss your overall architecture. The meat of the report should identify all the possible risks you can think of (relating to hacking, data loss by physical disaster, etc,) your intended responses to them or mitigation strategies, and rules and procedures that ensure the responses and strategies are implemented. Basically you want to show that you’ve identified all the foreseeable risks to your clients, and have plans in place for minimizing them.



    Googling “how to write a security plan” gives plenty of results.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered 2 days ago









    Ernest Friedman-HillErnest Friedman-Hill

    4,1462 gold badges20 silver badges25 bronze badges




    4,1462 gold badges20 silver badges25 bronze badges












    • Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...

      – mrNiceGuy
      2 days ago











    • @mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.

      – Joe Strazzere
      2 days ago






    • 1





      I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.

      – Ernest Friedman-Hill
      2 days ago






    • 1





      Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.

      – Justin
      yesterday






    • 1





      @mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.

      – Joe Strazzere
      yesterday


















    • Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...

      – mrNiceGuy
      2 days ago











    • @mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.

      – Joe Strazzere
      2 days ago






    • 1





      I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.

      – Ernest Friedman-Hill
      2 days ago






    • 1





      Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.

      – Justin
      yesterday






    • 1





      @mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.

      – Joe Strazzere
      yesterday

















    Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...

    – mrNiceGuy
    2 days ago





    Thank you for the answer! But now I'm wondering where I can find examples of security plans for a web application? (I updated my question above) The documents that I found were mostly focused on desktop applications and other software systems, which is helpful, but doesn't have the same security concerns as a web app...

    – mrNiceGuy
    2 days ago













    @mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.

    – Joe Strazzere
    2 days ago





    @mrNiceGuy - well you and your fellow founders are experts in web based systems, right? So it shouldn't be all the difficult to turn any general security plan document into one tailored for your environment. If it is hard, you may want to hire a consultant to help you in both the writing and securing.

    – Joe Strazzere
    2 days ago




    1




    1





    I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.

    – Ernest Friedman-Hill
    2 days ago





    I wouldn’t worry about legalese; the details would depend on your client and jurisdiction anyway. You already said it’s not a high-consequence system; just address your approaches for preventing various kinds of penetration and for backup and recovery and you should be good.

    – Ernest Friedman-Hill
    2 days ago




    1




    1





    Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.

    – Justin
    yesterday





    Plus, I suspect there are lots of security plans for web apps out there, although I can understand why they aren't readily available Because this is how consultancy companies make money, at between $1k and $50k+. Some have ongoing contracts to provide realtime monitoring, others to perform annual security reviews. They're not going to leave these lying around for their competitors to use, or give you a head start.

    – Justin
    yesterday




    1




    1





    @mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.

    – Joe Strazzere
    yesterday






    @mrNiceGuy - "Perhaps I am being lazy, but we are a 3 person shop, so I would like to avoid writing a ~10 page legal document if at all possible. " - consider that this is exactly what this municipality (and probably other future clients) are trying to see. If you can't be bothered to write 10 pages, how can they trust you to do the work to actually secure the systems they will be depending on? Hire a consultant if you must, but get it done.

    – Joe Strazzere
    yesterday














    0














    Find out what the client’s expectations really are, and manage them. There's a world of difference between downtime measured in milliseconds, which every client wants, and downtime of a few days, which is what a $10k client will probably accept when the find out how expensive the former is.



    Aside - upsell. What did they actually pay the $10k for? What else can you sell them?



    Practical Suggestions




    Are there any examples of a security plan from a SaaS provider -
    specifically for a web app?




    No - you'll have to write one.



    As a starting point, Google “Owasp” and “Troy Hunt”, which will give you the top 10(?) common ways to hack a website. Write some test code/scripts to do this against your own site, then format the results: Attack / Solution / Results into a document.



    This is the most basic kind of penetration test, and you should really be engaging a specialist company to do this for you (don’t though; it’ll cost a good chunk of that $10k).




    ...and availability of your site ...




    You’re probably not hosting this app on your own servers, instead using a hosting provider. Have a look at their policy for how they guarantee uptime (or email and ask), and include that in your response to the client. ( if you are self hosting, you’re probably making a lot more work for yourself, as you lack the infrastructure for high availability/ failover)






    share|improve this answer





























      0














      Find out what the client’s expectations really are, and manage them. There's a world of difference between downtime measured in milliseconds, which every client wants, and downtime of a few days, which is what a $10k client will probably accept when the find out how expensive the former is.



      Aside - upsell. What did they actually pay the $10k for? What else can you sell them?



      Practical Suggestions




      Are there any examples of a security plan from a SaaS provider -
      specifically for a web app?




      No - you'll have to write one.



      As a starting point, Google “Owasp” and “Troy Hunt”, which will give you the top 10(?) common ways to hack a website. Write some test code/scripts to do this against your own site, then format the results: Attack / Solution / Results into a document.



      This is the most basic kind of penetration test, and you should really be engaging a specialist company to do this for you (don’t though; it’ll cost a good chunk of that $10k).




      ...and availability of your site ...




      You’re probably not hosting this app on your own servers, instead using a hosting provider. Have a look at their policy for how they guarantee uptime (or email and ask), and include that in your response to the client. ( if you are self hosting, you’re probably making a lot more work for yourself, as you lack the infrastructure for high availability/ failover)






      share|improve this answer



























        0












        0








        0







        Find out what the client’s expectations really are, and manage them. There's a world of difference between downtime measured in milliseconds, which every client wants, and downtime of a few days, which is what a $10k client will probably accept when the find out how expensive the former is.



        Aside - upsell. What did they actually pay the $10k for? What else can you sell them?



        Practical Suggestions




        Are there any examples of a security plan from a SaaS provider -
        specifically for a web app?




        No - you'll have to write one.



        As a starting point, Google “Owasp” and “Troy Hunt”, which will give you the top 10(?) common ways to hack a website. Write some test code/scripts to do this against your own site, then format the results: Attack / Solution / Results into a document.



        This is the most basic kind of penetration test, and you should really be engaging a specialist company to do this for you (don’t though; it’ll cost a good chunk of that $10k).




        ...and availability of your site ...




        You’re probably not hosting this app on your own servers, instead using a hosting provider. Have a look at their policy for how they guarantee uptime (or email and ask), and include that in your response to the client. ( if you are self hosting, you’re probably making a lot more work for yourself, as you lack the infrastructure for high availability/ failover)






        share|improve this answer















        Find out what the client’s expectations really are, and manage them. There's a world of difference between downtime measured in milliseconds, which every client wants, and downtime of a few days, which is what a $10k client will probably accept when the find out how expensive the former is.



        Aside - upsell. What did they actually pay the $10k for? What else can you sell them?



        Practical Suggestions




        Are there any examples of a security plan from a SaaS provider -
        specifically for a web app?




        No - you'll have to write one.



        As a starting point, Google “Owasp” and “Troy Hunt”, which will give you the top 10(?) common ways to hack a website. Write some test code/scripts to do this against your own site, then format the results: Attack / Solution / Results into a document.



        This is the most basic kind of penetration test, and you should really be engaging a specialist company to do this for you (don’t though; it’ll cost a good chunk of that $10k).




        ...and availability of your site ...




        You’re probably not hosting this app on your own servers, instead using a hosting provider. Have a look at their policy for how they guarantee uptime (or email and ask), and include that in your response to the client. ( if you are self hosting, you’re probably making a lot more work for yourself, as you lack the infrastructure for high availability/ failover)







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited yesterday

























        answered yesterday









        JustinJustin

        3,7221 gold badge8 silver badges19 bronze badges




        3,7221 gold badge8 silver badges19 bronze badges













            Popular posts from this blog

            Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

            Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

            199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單