Vulnerability overload is real.
40,000. 130,000. Even 1,000,000.
These are actual vulnerability counts from modern networks.
The noise can seem impossible to sort through.
The industry-standard CVSS is broken.
And the stakes were never higher.
So is cyber risk.
60% of breaches are due to software flaws that were known but not patched ahead of time.
Ransomware gangs have "favorite" CVEs they keep coming back to.
Cyber insurers are looking at vulnerability management practices when setting rates.
Customers are subjecting their vendors to enhanced security due diligence.
You need a plan.
What do we fix and when?
What do we disclose, and to whom?
What are the right tradeoffs to make?
How do we communicate internally and externally?These are all common questions...
...that often get sorted out during an emergency.On top of reducing your risk of a breach, a comprehensive vulnerability management program will save you enormous amounts of time, pain, and confusion.But you need one in place ahead of time.
Sound like you?
Are you a software company with $50 million ARR or less?
Are you selling to enterprise customers with heavy duty security needs?
Have the beginnings of a security team that is getting crushed by their intense due diligence?
Overwhelmed by thousands of "high and critical" vulnerabilities and don't know where to start?I've built security programs at companies ranging from a venture-backed startup to publicly-traded enterprise vendor with $1B in revenue.So I know both sides of the problem.And I've already accelerated security programs for many software entrepreneurs.
Let me build your program
$4,975 / month for 3 months
Tame the vulnerability madness in 90 days with:
Custom policies / procedures
Financial risk analysis
Security status page
Training and tabletop exercise
Private Slack channel
Weekly strategy meeting
Discounted advisory retainer
Early StackAware app access
Premium technical support
How do you do it?
Onboard: outline business objectives and identify key internal/external stakeholders.
Gather information: review existing documentation, interview (live or written) key stakeholders, and conduct business impact analysis.
Refine/develop processes: customize policies based on maturity, regulatory requirements, and business goals. Launch security status page.
Train: conduct stakeholder education sessions, test via tabletop exercise, and onboard to StackAware platform.
Maintain: transition to advisory capacity or assist in vetting full-time hire.
What do I get?
|Customized policies and procedures||Concise and actionable written policies and playbooks for vulnerability management, scanning, release criteria, and disclosure. Development includes identification of areas for automation (can be follow-on service).|
|Financial risk analysis||Using the Factor Analysis of Information Risk (FAIR) method, we design and implement a methodology for you to measure security vulnerability risk in business terms. The Common Vulnerability Scoring System (CVSS) is a broken method for prioritization that is hampering your business. Let me show you another way.|
|Security status page||Be proactive in communicating with prospects and customers by setting up a publicy-facing security center, like this.|
|Questionnaire completion||Let me deal with the headache of security questionnaires by completing them on your behalf based on the information gathered while building your security status page.|
|Training and tabletop exercise||Get all of your stakeholders trained on your policies and procedures. Record it to re-use again. And then drill your team to make sure the plan is sound.|
|Private Slack channel||Get 24 hour turnaround for your written questions.|
|Weekly strategy meeting||A 30-minute session to address questions, make course corrections, and align on next steps along the way.|
|Discounted advisory retainer||Keep your program going strong through a reduced subscription rate for StackAware's Vulnerability-Management-Advisor-as-a-Service (VMAaaS) offering|
|Early StackAware app access||Systematize and automate your vulnerability management program even more effectively using the StackAware platform to measure and communicate about risk.|
|Premium technical support||Get white-glove treatment as you roll out StackAware to your company and security team.|
What do you need from me?
- Accountable business leader.- Designated security advisor (cannot be same as business leader).- Customer-facing point(s) of contact (can be same person as previous two).- Completed questionnaire or 60-minute interview with all of the above.- Asset inventory (not required, but preferred).- Access to vulnerability scanning and other security tool outputs.- Company email address during course of engagement (to configure security status page).
Frequently asked questions
Scope of services
Question: Do your vulnerability management service encompass evaluating the risk from third-party code, either commercial or open source?
Answer: Yes. StackAware helps to manage vulnerabilities throughout your digital dependencies, and can assist in vetting vendors, evaluating open source code, and similar tasks.Question: We are a software product company that provides software partially or exclusively for customers to run in their own environments (i.e. not -as-a-Service). Do you have experience working in these types of situations?
Answer: Yes. We have experience at multiple companies that have offered both customer-managed (e.g. on-premises) and vendor-managed (e.g. SaaS) products and know how to handle both models.Question: Are you a penetration testing or scanning company?
Answer: No. We do not scan for vulnerabilities in your network. We help you prioritize them and mature your processes and procedures for handling them.Question: Will you patch or fix vulnerabilities for us?
Answer: No. We are not an IT service provider but rather a specialized vulnerability management and prioritization firm.Question: We think we have been hacked. Do you do incident response or forensics?
Answer: No. StackAware is focused entirely on preventing cybersecurity incidents. We do not manage incident responses or post-breach investigations. We do, however, have referral partners whom we can recommend.Preparing for an engagement
Question: Why do I need to designate a business leader who is accountable for the organization’s security? Shouldn’t that be a security person?
Answer: While security might be everyone’s responsibility, only one person should be accountable for it, at the end of the day. Ensuring a leader with holistic responsibility for your business and all the risks it faces is the one who makes risk management decisions is key to having an effective and coherent security program.Question: Why do I need to designate a single security advisor in our contract? Isn’t that you?
Answer: StackAware enables your security program to succeed by applying not only technical but organizational best practices. Ensuring that you have a single, full-time individual responsible giving security advice and implementing business decisions is the best way to set you up for success. If we do our job right and allow your business to scale, eventually you won’t need our consulting services anymore. Grooming a leader to take over when that happens is the best way to prepare for this.Question: Do I need to have an asset inventory in place to build out an effective risk-based vulnerability management program?
Answer: Yes. Since determining risk in financial terms requires understanding the impact of the exploitation of a given vulnerability, we will need to understand the assets in your network and their relative business value to you.Question: What if my organization doesn’t have a complete asset inventory?
Answer: We can still work with you and will use the existing information you have to the best of our ability. With that said, the resulting business impact analysis will be far less granular than if we had an accurate inventory.Question: Will you conduct an asset inventory for us?
Answer: No. Conducting an asset inventory is an ongoing, IT-centric process that we are not equipped to manage. We can make recommendations on what to do but cannot run the process ourselves.About StackAware
Question: Is StackAware a product or a services company?
Answer: Both. As part of our strategy for building a market-leading software supply chain risk platform, StackAware is offering services to firms seeking to improve their vulnerability and third-party risk management efforts.
© StackAware. All rights reserved.