Welcome to the SRP Forum! Please refer to the SRP Forum FAQ post if you have any questions regarding how the forum works.

SOC 2 Type 2 report Vulnerability/code scan reports

I asked this on the Revelation forum website, I thought I'd ask here as well. Has anyone had to respond to something like this?

A potential customer just asked for the following information. Does anyone have any idea how to respond to this? The OI application will be installed on a server on their property. Thanks in advance for any advice.

Please let me know if you can address these:
1. SOC 2 Type 2 report
2. Vulnerability/code scan reports

Comments

  • Not specifically for SOC 2 Type 2 but in general we have had cyber security questionnaires from many clients. In my opinion, the most important thing to find out is which of these security controls applies to your product since they are self-hosting it. In many cases, the client will throw out a security control plan because it is their policy, or their cyber security team requires it, but since they are hosting the product a good portion of that plan applies to their own network and not your product. For example, firewall configurations are often a security item but that normally does not apply to software. Finding out exactly what applies to your product is key to being able to answer these questions correctly.

    Regarding vulnerability and code scans, we have had those done against our public facing websites but I do not recall anyone running it against an OpenInsight product. I am sure a basic scan can be done but I am not aware of any industry standard code scans for OpenInsight.

    All that being said, I would highly recommend that you get someone who is an expert in this field so they can assist you in making sure your application is secure and follows all of the required security controls.
  • Very interesting, thanks for spending the time to respond.

    The more I think about this I think the IT guy that is asking these questions is thinking this is going to be something we are hosting for them which is not the case.
Sign In or Register to comment.