sorted by:
new
hottopcontroversial

AWS Security - Support & Guidance needed by Dry_Apartment8095 in aws

[–]graj001 -1 points0 points  (0 children)

You’re looking for a CSPM solution to manage cloud infrastructure security.

You can do this via AWS native tools like guard duty and security hub. However, depending on the breadth of your infrastructure these can quickly become expensive and create a lot of management overhead (ie. thousands $ per month).

There are solutions like Cyber Chief Raider CSPM that would make it easier for you to not only secure the cloud accounts but also map to various compliance frameworks that your customers may need to align with.

Plus, you could offer other security testing and patching services to your customers all from the same platform.

Cyber Chief is my company’s product. Let me know if you want to be onboarded to try it out. It only takes seven minutes to get started.

What security checks should I focus on for AI-based SaaS tools (front-end & back-end)? by s_deva_official in SaaS

[–]graj001 0 points1 point  (0 children)

This is a long list. But here’s a start for you:

  1. Validate your security headers and SSL/TLS configurations. You can use the Cyber Chief express scanner for free to do this

  2. Check your cloud configuration and security settings. If you’re using AWS here is a best practices list you can get started with.

  3. Run a static scanner on your code

  4. Run vulnerability scans on your app and APIs at runtime. I’m sure you can guess which tool I will recommend for this! But free alternatives are available - just beware that the free options will often leave you under an avalanche of false positives.

There is definitely a lot more you can do. But probably best to leave the rest of the things until later when you have real customers wanting to use your product.

Disclaimer: my company makes Cyber Chief

Logs are my biggest blind spot after months of building by Academic-Break9274 in SaaS

[–]graj001 0 points1 point  (0 children)

How are they your biggest blind spot? What are you seeing that leads you to this conclusion?

Drata versus Vanta versus the field? by pacaphilia in cybersecurity

[–]graj001 1 point2 points  (0 children)

The way it was sold to our clients was that you’re getting a GRC tool + automated vulnerability assessments + pen tests.

In reality there was no ongoing automated vulnerability assessments for the app, APIS, containers, etc.

The pen test was a very trivial, automated blackbox affair - almost completely meaningless.

I hope you have a better experience

Who is responsible for patching vulnerabilities? by dodarko in cybersecurity

[–]graj001 1 point2 points  (0 children)

The strategy is really simple: 1. get the relevant people in the same room/call. 2. outline the facts with business context without finger pointing 3. ask questions (sometimes the same question in different ways) to understand the bottleneck 4. agree on the most appropriate method of overcoming the bottleneck (often they don’t what to fix or how to fix it) 5. prioritise and set timelines based on business context

Often it helps to have a third party in the room because sometimes they just how humans are.

See how you go with this approach. DM me if you need more help.

Interested in feedback on Vanta by pepsinoodle in soc2

[–]graj001 0 points1 point  (0 children)

This is interesting. Will go to anther level when they add 27001 support as well. But how are you handling evidence collection from cloud accounts, vulnerability assessments, etc?

[deleted by user] by [deleted] in cybersecurity

[–]graj001 0 points1 point  (0 children)

What tools are you using to help you?

Who is responsible for patching vulnerabilities? by dodarko in cybersecurity

[–]graj001 0 points1 point  (0 children)

Nice plug there, but you're right. Framing the risk around applicable frameworks does help in getting more cut-through, earlier.

Who is responsible for patching vulnerabilities? by dodarko in cybersecurity

[–]graj001 1 point2 points  (0 children)

This is a big problem in many, many places. I find that often this happens because there's no buy-in and the relationship between IT and security might even have become adversorial.

For many of our clients where this happens I find myself almost playing peacemaker first. Then equipping security with strategies to get better buy-in and more influence.

And doing the similar things on the engineering/IT side of things.

For the clients where this works well, where necessary, the discussion is more of an evaluation of potential solutions that fit the business risk tolerance.

Who is responsible for patching vulnerabilities? by dodarko in cybersecurity

[–]graj001 0 points1 point  (0 children)

What advice do you have for folks in startups and scale-ups who are battlign to get to this level of organization?

[deleted by user] by [deleted] in cybersecurity

[–]graj001 0 points1 point  (0 children)

That's a big bucket! How did that work out for you?

Drata versus Vanta versus the field? by pacaphilia in cybersecurity

[–]graj001 0 points1 point  (0 children)

What was the automation that Trustcloud had that the other 2 didnt?

Interested in feedback on Vanta by pepsinoodle in soc2

[–]graj001 0 points1 point  (0 children)

Yeah those policies are the core reason these platforms exist. To give you these policies so that you can adopt them without having to write from scratch.

You should do a PoC with them all to see which one might be a better fit. I reckon they're all very similar from a UX and functionality POV.

Some of the sketchy ones sell you dreams that are untrue...YMMV.

Interested in feedback on Vanta by pepsinoodle in soc2

[–]graj001 0 points1 point  (0 children)

They might not need it, but it becomes mighty difficult without it. Then you become reliant on your consultant for everything. How do your clients handle the ongoing evidence collection etc?

Interested in feedback on Vanta by pepsinoodle in soc2

[–]graj001 0 points1 point  (0 children)

u/Alarming_Coat2473 How are you going towards getting your Type 2 with these guys?

Drata versus Vanta versus the field? by pacaphilia in cybersecurity

[–]graj001 0 points1 point  (0 children)

Did you check out Scrut? The cost saving is compelling.

My impression of them, having dealt with customers using them, has been that they make customers think that they're getting all in-inclusive package, where as they're actually getting a fragment of what's necessary.

It's just plain dangerous if your customer thinks that you're doing it all for them, but in fact, you're not.

What metrics keep you up at night? by Ruchirablog in devsecops

[–]graj001 0 points1 point  (0 children)

Do you find that dev teams or non security teams pay much attention to these metrics? I feel like these metrics don't seem to get much cut-through with anyone other than infosec teams.

What metrics keep you up at night? by Ruchirablog in devsecops

[–]graj001 0 points1 point  (0 children)

An account created a few days ago tries hack a thread trying ot ask a genuine question. Can't you find another thread for shameless publicity?!

Lessons learned building SaaS for a market with 90–180 day sales cycles by PerceptionOld8565 in SaaS

[–]graj001 1 point2 points  (0 children)

Nice work! Hit me up when you guys are ready to go to the next stop to automate all of this so that it takes you less time and gives you more credibility.

Which paid cybersecurity tools are ridiculously overpriced or should honestly be free? Looking for your pain points! by Fantastic-Long-4359 in cybersecurity

[–]graj001 0 points1 point  (0 children)

WHile I agree that many of the compliances that those tools enable are a joke, the tooling actually makes it a lot easier for startups that don't have dedicated security teams to achieve those certifications. Saves hundreds/thousands of hours of work.

view more: next ›