Security is now part of procurement checklists within companies (especially large ones) when buying a software solution.
What security commitment can be given to them ? How to promote a software security process?
Achieving a certification is a must to show the level of cyber security of a software company. There are plenty of standards : ISO 27001 (for information security management), PCI-DSS (for payment data security)… Each one is more or less appropriate to a specific industry or a specific geographical area.
Starting a certification process is quite a heavy and long-term project. It is also worth noting that the impact on your products can be important. If there is no compulsory security certification for running a business in your industry (unlike the payment industry), starting such a process depends on your company’s maturity: it is recommended for mature companies rather than startups.
Furthermore, reaching a partial compliance with a standard can be a viable alternative to a full compliance. This is a compromise to value security efforts, even if it does not result in certification. Security professionals (like Vaadata) can assist you in that kind of process.
2) Security audit results exploitation
Conducting a security audit such as penetration testing is generally a first security step for startups and digital SMBs.
Pentesting (penetration testing) is a great solution to test the security of a web platform in real conditions. Indeed, vulnerabilities are identified by « ethical hackers » (security experts) and then remediated. This service is turnkey and easy to set up.
The deliverable of such services is a security audit report, containing a detailed description of all tests performed, identified vulnerabilities and related remediation solutions. This document is highly confidential but can be partly shared with some clients once security flaws have been fixed (for instance by sharing the executive summary).
When the initial security audit is followed by a remediation check phase, another deliverable is provided to testify that security vulnerabilities have been fixed. This remediation check report is not highly confidential, especially the security audit certificate (which can be delivered if the pentest has been performed by a third party – this aspect is important to some clients as it will give more credibility to the audit).
So there are different ways to promote a security process in order to achieve business goals. Please note that this article is not exhaustive on the topic. Anyway, marketing purposes are key factors for increasing the security of information systems especially software solutions.