Computer Security · Cyber security

SaaS cybersecurity: What's the playbook?

Anonymous

August 28th, 2018

We are a health IT software company that offers a cloud-based software solution. Our system does collect personally identifiable health information. Our customers are health systems, hospitals and primary care medical groups. In terms of cybersecurity, what do companies like us typically do? We are small and do not have in-house resources to manage security. We have successfully undergone a few security assessments by our customers so we believe our platform is secure. But how do we know if we've been breached? How often do we need to consult vulnerability assessments and code scans? Do we need to hire a 3rd party internet security company to monitor our environment? How much should we expect to pay per month and what should we expect in terms of services?

Canute Bigler Life-long software development pro; first hire @PerchSecurity; wide-generalist.

Last updated on September 5th, 2018

It feels worth mentioning that there's lots of existing material on handling PII and implementing measures to comply with HIPAA and GDPR. Companies of every size should take handling of PII seriously and there's plenty that even a very early stage startup can do:

  • HTTPS everywhere - certs are cheap/free these days. Assume that anything that you send over HTTP is being sniffed by an adversarial network.
  • Make sure you're not using public S3 buckets to handle/store PII - use pre-signed S3 uploads/downloads with a private bucket.
  • Delete PII that you don't need any more as soon as possible, don't store things that you don't need. Minimize your exposure.
  • Secure your network resources, minimize infrastructure exposed directly to the public Internet - again, minimize your exposure.
  • Use static analysis tools to scan your codebase for security issues (e.g. Bandit for Python)
  • Keep your servers, software, and libraries up to date with the latest security patches
  • Use modern HTTP security headers (e.g. https://www.globaldots.com/8-http-security-headers-best-practices/)

External third-party scans and vulnerability assessments can be useful, though, in my experience, unless you're paying for a full penetration test, they're likely just to prod your infra for open ports/services and make note of which HTTP security headers you're not using.


Chowdari Babu Founder @ ismac.io

September 3rd, 2018

Definitely you need to secure the network database by building robust architecture, you can use third party services to plug loop holes . Let me know , if you want to try our service

Jodson Leandro Programmer and Pentester

January 17th, 2019

In terms of cybersecurity, what do companies like us typically do?

A lot of assessments, code reviews, has their own SOC team or contract some.


But how do we know if we've been breached?

You need to implement some measures and then you need logs, logs everywhere. You need that your system/application warn you when some strange thing happens.


How often do we need to consult vulnerability assessments and code scans?

If you are a small company, try to implement a SDLC in your team that will be some thing huge for your security.


Do we need to hire a 3rd party internet security company to monitor our environment?

If you don't have some specialist then you need.


How much should we expect to pay per month and what should we expect in terms of services?


What country are your company from?