
Ask HN: Security audit or certification for enterprise sales? - ralph1884
We&#x27;ve recently been going through the sales process with a mid-sized enterprise. We&#x27;re in the final stages, but they&#x27;re got a bit scared about dealing with a startup and are requesting a security audit or accreditation. We primarily deal with SMBs, so this is the first time we&#x27;ve been asked for this.<p>Has anyone had any experience with this kind of request as a startup and how have you dealt with it? Should I just send them the results of our 3rd party PCI compliance scans? Is there a cheap certification we can do?
======
CiPHPerCoder
> Should I just send them the results of our 3rd party PCI compliance scans?

You could ask, "We are routinely audited for PCI-DSS compliance. Would you
prefer to see the results of our latest compliance audit?" This may be
acceptable, and the only way to know is to ask.

If that's not satisfactory, try to negotiate with them to cover or split the
cost of a comprehensive third party audit that meets their requirements.

If they require FIPS 140-2 compliance, see your doctor for blood pressure
medication first.

> Is there a cheap certification we can do?

Security isn't cheap, unless you compare security to the cost of a data
breach, in which case it's a hell of a bargain.

If they're Enterprise, they're probably more willing to cut a check for
$X0,000 than accept the risk of losing millions in disaster recovery.

Whatever you do, don't go for the cheap options, if for no other reason than,
if anyone on the client's side is security-savvy, they'll figure it out
quickly and that might turn them off completely.

Whatever you do, don't pay for the audit out of pocket.

(Disclaimer: I do source code audits for Paragon Initiative Enterprises. We
tend to focus on web-based and desktop software.)

