Modern software has multiple dependencies. If a company builds software, chances are they use a mix of 3rd party software libraries and other off-the-shelf products to build a solution. Information technology departments depend on both homegrown software and commercial off-the-shelf (COTS) products to run their business. Examples of 3rd party tools and services include cloud hosting, network proxies, monitoring tools, database management systems, payment processors, communication platforms, support bots, product usage analytics, and troubleshooting tools just to name a few. Once a 3rd party product is tied to a company, the 3rd party risk becomes part of the organization’s risk.
As the company matures its security initiative, the source of security concerns shifts to 3rd party vendors. For that matter, organizations must perform some type of due diligence to ensure that third-party companies secure the adopted solutions. The industry adopted independent audits based on standardized and widely accepted methodologies, such as the System and Organization Controls (SOC), to solve this matter at scale. While SOC provides answers to many questions, the report is just as good as the auditors’ ability to examine the environment and communicate their findings in the document. Furthermore, the information is handled as unstructured data (usually a PDF report) and only presents an opinion at a point in time. The process to share the report with all interested parties is usually very manual. A report is requested via email and somehow delivered to the requester, often as a non watermarked copy that is insecurely transmitted via email.
SafeBase is a SaaS solution that provides organizations with an off-the-shelf portal to share the company’s security posture and automate access to sensitive documents. It provides small and medium businesses with a full feature internet-facing security and compliance portal that is often only seen in large companies with a mature information security initiatives. SafeBase’s “self-serve” access allows organizations to gather information about a vendors’ security program quickly. This includes audit reports, security certifications, results from automated scores tools, whitepapers, security policies, and a plethora of information grouped into tiles. Because these tiles are common to all companies using the SafeBase platform, it’s possible to gather the data in a semi-structured format using APIs. The result is a mix of information that could be seen as a vendor’s “security resume” or “security nutrition facts”. Auditors can gather information quickly and securely by creating an account in the portal, signing an NDA that is automatically sent to requesters, and securely downloading watermarked PDF copies of reports or certifications such as SOC, ISO, PCI TRUSTe, and many more.
Portal usage and metrics are also part of SafeBase. The product’s dashboard includes data on portal views, documents downloaded, access requests, and information about visitors. Besides the ability to manage requests, SafeBase also provides mechanisms to keep customers informed about the latest news related to security. For example, if a critical vulnerability related to a widely-used open source component is disclosed, the SafeBase portal can be used to publish a security advisory. If a new PCI report is available, portal administrators can broadcast email messages to all subscribers to inform them about the new document.
As a security practitioner, I found myself responding to the same questions asked in different ways multiple times in custom security questionnaires. SafeBase has a knowledge base feature that imports the answer of previously answered questionnaires and indexes the data, making it easy to search. New team members and non-security employees are then empowered to confidently answer questions by leveraging complete and accurate answers from the repository. The knowledge base not only indexes content from previously uploaded questionnaires and automatically syncs information from the status page. The more you feed the portal, the more data becomes available in the knowledge base.
SafeBase is not a replacement for SOC reports and does not compete with security scoring companies like Security Score card. The product is a portal where all these documents and much more can be packaged and available to customers, prospects, and auditors. As a vendor, the implementation of SafeBase helped us in our journey to be more transparent about our security controls and processes, reduce sales cycles, and keep customers informed.
Cassio Goldschmidt is the Chief Information Security Officer at ServiceTitan, the leader in field service management software. Cassio is an award-winning technology executive, venture capital advisor, investor, MBA mentor, speaker, and long-time contributor to the security community.