Enabling Sales Teams To Close Deals Faster by Demonstrating Attestation for Secure Data Tracking, Security and Management With 3rd Parties

The team at Riscosity has been helping enterprises, mid-market companies and small to medium businesses find an easy, achievable, and effective path to certifying whether the building blocks of their revenue-generating software are kosher or not. The question to answer is whether there is an impartial way to find out in real-time whether the components of a piece of software pose a risk to the revenue stream of the business? This is exactly what the SafeChain™ Certification enables Riscosity’s customers to do.

Advantages of the Certification

The certification process helps Riscosity’s customers to demonstrate the highest level of assurance, akin to SLSA level 4, for their entire software supply chain from a 3rd party exposure perspective. The certification program ensures that companies can provide to their prospective clients an independently verifiable certificate that demonstrates that the potential client will not get compromised as a result of buying the customer’s software.

Why is this required?

If we look back at 2021, the famous Solarwinds attack caused immense heartache for untold numbers of companies worldwide. The reason why the tsunami of a single vendor getting compromised and in turn becoming the launch point for more compromises at well-known major businesses highlighted the fact that has been public knowledge for many years. The software supply chain has no easy way to prove safety.

Sophisticated and security-conscious Fortune 10,000 enterprises and government agencies have now as part of their pre-purchase due diligence started asking vendors to prove that they will not be put in the same boat, should a compromise similar to the one at Solarwinds happened at the said vendor. Essentially enterprises are looking to understand the risk of doing business with 3rd parties.

Issues with current certification programs

One way to quantify simply the risk of doing business with various 3rd party services is by asking for security questionnaires and standard certification documents like SOC2, ISO 27001, FedRAMP, and more. There is a problem with this approach though. Most certification of this sort is:

  1. Focused on processes, and policy validation and are a static picture of the organization’s health. What is a good example of this? As part of SOC2 (and other paradigms), it is encouraged for businesses to compile a list of 3rd party vendors with whom the company is collaborating. The intent here is good, but, the execution falls flat on its face. Consider the case where you might be able to compile an accurate list of vendors with whom you are exchanging data, this is a point in time exercise. What happens 2 months down the line when a certain product team makes an improvement, features addition, launches a new version, and uses a different or a new vendor inside the existing or new product. How does the SOC2 report stay up to date with this information?
  2. Not focused on dependency metrics that actually impact the risk to the organization. What is a good example of this? As part of SOC2 and other compliance standards, we are asked to provide evidence and attest to the ability to identify, report, remedy vulnerabilities in software. Noble as the goal is here, simply checking CVEs for vulnerabilities and having a process that pays lip service to remediation is what happens at most organizations. Not because of the lack of drive, but because of practical issues. Ever heard of “We can’t update the software for our product because we don’t know what else will break”? This is a clear case of not having dependencies mapped out between products.
  3. Not focused on addressing data flow analysis. What is a good example of this? As part of guidelines like GDPR, HIPAA, CPRA/CCPA we have to keep records on data processors and have processes in place where sensitive customer PII, PHI is not being insecurely transferred to a 3rd party processor. Once again, this is an important point to execute on, but where it misses the mark is in highlighting a mechanism that actually allows for collaboration between parties based on the amount of risk. In many AWS deployments, it can be seen that HTTPS transactions get terminated at the ELB, load balancers. Traffic inside the VPC can be pure HTTP, unencrypted. Does this mean things are bad, we are in violation – no. A risk-based approach that combines, what data, who is it being given to, the boundary scope all plays into the picture.

We will agree that for most of the compliance guidelines the goal has always been to provide guidance, in the most general manner so that the people implementing controls have the freedom to choose products and processes that they feel are appropriate. This is where we break from tradition. We believe that while some amount of flexibility is an absolute necessity, there needs to be much more structure and guidance around these paradigms that help people understand how well are they tracking with a particular guideline scope.

SafeChain(TM) Certification program that provides an attestation certificate

It is with this thought process in mind that Riscosity is launching the SafeChain(TM) Certification program that provides an attestation certificate. This certificate can show the building blocks of the software powering the service that a customer is about to purchase. This enables a potential client to check off all necessary pre-purchase due diligence in minutes instead of weeks. The various certification levels progress upwards based upon the amount of security guidance implemented by the certified party. Average timelines to obtain Level 1 certification can be as less as 1 calendar week and for Level 3 can range from 30-60 calendar days.

Furthermore, a very important aspect of this certification is independent attestation. A client of Riscosity who is certified at a specific attestation level may simply point the incoming potential customer to their independently verifiable certificate hosted on the Riscosity DNS, and interact with a security concierge to ask questions about the certification process, warrantees, and more – of course with explicit permission from Riscosity’s client. This security concierge service reduces the amount of interaction needed to satisfy pre-purchase due diligence questions and helps the potential prospect get comfort around the fact that buying the client’s software is not going to cause a Solarwinds incident for themselves.

Free of charge for Riscosity customers

There is no charge for the certification process for Riscosity customers, and non-customers may also get certified for a small fee. If you may be interested in demonstrating to your customers that you have a tight process around managing your third-party risk management program, please feel free to contact us and we will be happy to share the details of the certification process with you.