Vulnerability Reports

• Publish the point of contact for security reports on your website

• Respond to security reports within a reasonable time frame

• MVSP 1.1

• ISO 27001 A.12.6.1

• SOC2 CC7.1

Customer Testing

• On request, enable your customers or their delegates to test the security of your application

• Test on a non-production environment if it closely resembles the production environment in functionality

• Ensure non-production environments do not contain production data

• MVSP 1.2

• ISO 27001 A.12.6.1

• SOC2 CC7.1

External Testing

Contract a security vendor to perform annual, comprehensive penetration tests on your systems

• MVSP 1.4

• ISO 27001 A.12.6.1

• SOC2 CC7.1

Training

Implement role-specific security training for your personnel that is relevant to their business function

• MVSP 1.5

• ISO 27001 A.7.2.2

• SOC2 CC2.2

Compliance

• Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18

• Comply with local laws and regulations in jurisdictions applicable to your company and your customers, such as GDPR, Binding Corporate Rules, and Standard Contractual Clauses

• MVSP 1.6

• ISO 27001

• SOC2

• Deepfence ThreatMapper

• Steampipe Compliance Mods

Incident Management

• Notify your customers about a breach without undue delay, no later than 72 hours upon discovery

• Include the following information in the notification:

  • Relevant point of contact

  • Preliminary technical analysis of the breach

  • Remediation plan with reasonable timelines

• MVSP 1.7

• ISO 27001 A.16.1

• SOC2 CC7.3

Single Sign-On

Implement single sign-on using modern and industry standard protocols

• MVSP 2.1

• ISO 27001 A.9.4.2

• SOC2 CC6.1

• BoxyHQ SAML Jackson

Access Control

• Implement strict access control in your application guarding resources as needed

• Allow easy provisioning and de-provisioning of users

• ISO 27001 A.9.1.1, A.9.2.1

• SOC2 CC6.1

• Aserto

• BoxyHQ Directory Sync

• Casbin

• Cerbos

• Keto

• Oso

HTTPS-Only

• Redirect traffic from HTTP protocol (port 80) to HTTPS (port 443)

• Produce a clear scan using a widely adopted TLS scanning tool

• Include the Strict-Transport-Security header on all pages with the includeSubdomains directive

• MVSP 2.2

• ISO 27001 A.10.1.1

• SOC2 CC6.7

• Steampipe Net Plugin

• testssl.sh

Dependency Patching

Apply security patches with a severity score of "medium" or higher, or ensure equivalent mitigations are available for all components of the application stack within one month of the patch release

• MVSP 2.6

• ISO 27001 A.12.6.1

• SOC2 CC7.1

• OWASP Dependency Check

• OWASP Dependency Track

Logging

Keep logs of:

• Users logging in and out

• Read, write, delete operations on application and system users and objects

• Security settings changes (including disabling logging)

• Application owner access to customer data (access transparency)

Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action. Logs must be stored for at least 30 days, and should not contain sensitive data or payloads.

• MVSP 2.7

• ISO 27001 A.12.4.1

• SOC2 CC7.2

• BoxyHQ Audit Logs

• ELK Stack

• FluentD

• Steampipe

Backup and Disaster Recovery

• Securely back up all data to a different location than where the application is running

• Maintain and periodically test disaster recovery plans

• Periodically test backup restoration

• MVSP 2.8

• ISO 27001 A.17.1

• SOC2 A1.3

Encryption

Use available means of encryption to protect sensitive data in transit between systems and at rest in online data storages and backups

• MVSP 2.9

• ISO 27001 A.10.1

• SOC2 CC6.1

• GDPR

• HIPAA

• BoxyHQ Privacy Vault (coming soon)

List of Sensitive Data

Maintain a list of sensitive data types that the application is expected to process

• MVSP 3.1

• ISO 27001 A.10.1

• SOC2 CC6.1

• GDPR

• HIPAA

• BoxyHQ Privacy Vault (coming soon)

• Bearer

Data Flow Diagram

Maintain an up-to-date diagram indicating how sensitive data reaches your systems and where it ends up being stored

• MVSP 3.2

• ISO 27001 A.10.1

• SOC2 CC6.1

• GDPR

• HIPAA

• BoxyHQ Privacy Vault (coming soon)

Vulnerability Prevention

Train your developers and implement development guidelines to prevent at least the following vulnerabilities:

• Authorization bypass

• Insecure session ID

• Injections

• Cross-site scripting

• Cross-site request forgery

• Use of vulnerable libraries

• MVSP 3.3

• ISO 27001 A.12.6.1

• SOC2 CC7.1

• OWASP Top Ten

• OWASP Zap

• Steampipe Net Insights mod

• Wapiti Scanner

• Bearer

Infrastructure and Cloud Security

Perform audits, continuous monitoring, hardening and forensics readiness for your infrastructure and cloud assets.

• ISO 27001 A.12.6.1

• SOC2 CC7.1

• AirIAM

• Cloudsploit

• Deepfence ThreatMapper

• Kubesec Kubernetes security

• Prowler for AWS

• Steampipe Compliance & Security mods

• Trivy container scanner

Data Leakage Prevention

Protect secrets from leaking into code, logs and unwanted systems.

• ISO 27001 A.12.6.1

• SOC2 CC7.1

• GitGuardian

• Gitleaks

• Steampipe Code Plugin

• Bearer

Zero Trust Principles

Keep data encrypted from end-to-end and have no listening ports for malware/ransomeware to spread etc.

• NIST Special Publication 800-207

• OpenZiti (numerous SDKs)