

Ask HN: Rate my startup - Simple security risk assessment - rakkhi

The problem
The security professional:  I need to do a security risk assessment to comply with policy or regulation (e.g. FFIEC). The organization has no risk assessment methodology and I am going to get buried in Excel.
The pen tester: I need to explain the business impact of the technical vulnerabilities I have found.
The cloud vendor: I need to pass a customer security review to get their business.
The small business: I need a risk assessment process to comply with PCI-DSS: Includes an annual process: “12.1.2 identifies threats, and vulnerabilities, and results in a formal risk assessment”.<p>How are customers solving the problem today?
The security professional:  Write a new methodology based on OCTAVE, OWASP, ISO27005 etc. Develop a complicated set of spreadsheets.
The pen tester: Use a simple high, medium, low risk rating or let the customer security department explain the risk to the business.
The cloud vendor: Complete a spreadsheet and provide the same information in so many slightly different forms for every customer. 
The small business: hire a contractor or consultant.<p>How are the current solutions deficient? 
The security professional:  Re-inventing the wheel in every company. Spreadsheets are hard to manage, have no version control and are hard to collaborate on.  Current security risk assessment tools are difficult to use and tailored for operational or enterprise risk rather than security risk.
The pen tester: Not actually rating the risk to the. business, passes the buck to the internal security team and reduces the chance of getting more business.
The cloud vendor: Takes time and man power, treated as a compliance exercise, does not convince the customer their risks are mitigated and therefore loses the business.
The small business: expensive.<p>Can you provide a solution to this problem that is a ‘need to have’ vs a nice to have?
The security professional:  Software as a service, no need to re-invent a methodology, easy to use, share and report on
The pen tester: Simple web or mobile based way to turn technical security vulnerabilities to business risks. Enables focus on core competency (breaking things) while speaking the business language and winning more work.
The cloud vendor: Assess the risks once. Easily adjust for each customer. Shows the customer how their risks are mitigated rather than filling in a compliance list. Saves time and money.
The small business: Simple process that can cut down consulting costs eventually eliminating them while still meeting the regulatory requirement.<p>Application in beta: link in first comment<p>Would really appreciate any thoughts and feedback
======
rakkhi
Link: <http://www.simplesecurityra.com>

