Ask HN: How to Prepare for SAAS Customer Sec Review-Pen Test+Policies We Need?

Y	Hacker News new \| ask \| show \| jobs

2 points by ecmrthon 3180 days ago

Could really use some advice on this. Work for an enterprise SAAS startup (very small team) and one of our first prospective customers has asked us to meet with their security team. I’m wondering:

1)What documents/policies do I need to have in place for this meeting? I’ve been reviewing the Vendor Security Alliance Questionnaire—does anyone have some sample responses to these (to give us an idea of the “correct” responses?). Is there some GitHub with list of documents (sample Information Security Policies, sample data retention policies, etc.)

2)We haven’t done any third party pen testing. Should we do this before the meeting or wait and see if the customer requires this? We are running a simple Heroku site so they handle our server setup. If we want to be proactive, what testing should we do? How expensive should this be for a simple web application? Time required? Tools/protocols to suggest? Any firms you could recommend?

3)Is it worth trying to be ISO_27001 compliant or having a SOC 1 done? We don’t handle any financial data; just business data that they want to keep private. Thanks all.