As many of you know, we've been working hard on our security platform at https://securityprogram.io. This post provides a periodic update around what is going on with the product.
the big idea
The whole idea behind securityprogram.io is to provide a system that a small or medium sized company can use to implement a serious security program without needing to hire an FTE security person.
We started with NIST 800-53 and then built policies, training and a set of tasks a company has to do to meet their stated policies. This is the core of the whole platform and sets out the roadmap toward having a real security program.
The next phase is to make the tasks easier and more automated.
Vendor Management
Building on a previous blog post about vendor management we built this capability into our platform. It is simple, to a fault.
You can define your vendors and track them. You can send them an email so that they can fill out a simple questionnaire that will then be populated in our vendor tracker.
Risk Management
We built a very simple risk register to track risks that are identified and the outcome - i.e. how they are handled. Again, simple to a fault, but totally sufficient for a typical small to mid sized business.
scanning
I spent 4 years building a commercial vulnerabilty scanner that had to pass PCI ASV tests. Knowing what that looks like on the inside and trying to find an economical and effective solution for smaller businesses, we built our own simple scanner that will accomplish the key goals of identifying network configurations that are more open than they should be and includes a base level of vulnerability analysis.
Training
In addition to the core Security Awareness Training and Policy related training that we already had, we released training for:
- Introduction to the OWASP Top 10
- Threat Modeling
- Privacy and Data Handling
Did I mention that the training is built right into the platform and can be tracked right on the dashboard?
Dashboard improvements
The dashboard shows your progress through rounds and provides detail about who has completed training. These are relatively minor updates but they make the dashboard more complete and useful.
a look ahead
The things we're working on now include:
- User Audit functions that allow automated auditing of users in key systems such as Google Apps, O365, AWS and GitHub.
- Better help and local task guidance in the application so that it is easier to use and navigate unfamiliar tasks.