

Ask HN: Is there a need for simple security risk assessment tool? - rakkhi

I have been working on a small startup simple security risk assessment application, mainly to scratch my own itch and am looking to get some feedback from the Hacker news community<p>What I think the problem is with current security risk assessment tools for the following audiences:<p>- The security professional: Requires re-inventing the wheel in every company to define the security risk assessment process. Spreadsheets are the primary tool of choice but they are hard to manage, have no version control and are hard to collaborate on. Enterprise applications such as Archer when they exist are difficult to use and tailored for operational or enterprise risk rather than security risk. It is difficult to get business or IT users to perform risk assessments because they are hard to work through and require a lot of text input and domain expertise. This increases the time that security professionals need to spend on risk assessments and increases the number of security resources focused on this activity which is usually mandatory for regulation or by policy.<p>- The pen tester: Usually reports have technical vulnerability ratings without actually rating the risk to the business, partially because pen test organizations do not have a simple tool to put their finding more in a risk context. This passes the buck to the internal security team and reduces the chance of getting more business<p>- The cloud vendor: Usually involves completing a giant spreadsheet on controls for each and every client. This takes time and man power, it is treated as a compliance exercise, does not convince the customer their risks are mitigated and therefore loses the business<p>- The small business: do not understand how to do a risk assessment that is required to comply with regulation such as PCI-DSS. Therefore either end up hiring expensive contactors or consultants<p>The application is still in beta: http://www.simplesecurityra.com You can either use one of your own accounts: Google, Twitter, Open-ID etc or this demo Google account: buyer@simplesecurityra.com password: buyersimplesecra<p>I am trying to differentiate the application on:<p>- simplicity e.g. compared to something like Archer which when I have used in the past has been too big and complicated for security risk assessments. It has taken a whole team to setup and manage and 6 months of training to use. My application should provide the benefits being able to quickly perform a risk assessment using industry standard methodologies without being difficult to setup.<p>- ease of use - it has minimum text input required and a slider based system so non security people should be able to use it. This enables security risk assessments to be pushed out to the business and IT with less time from security experts being required. It should also make it easier for small businesses to comply with regulation that requires risk assessments without hiring expensive consultants. It should guide a user through the process without consultants to classify and input majority of the information and "intelligence". The control and vulnerability libraries are also built in so they can be easily selected.<p>- ease of sharing, collaboration and reporting over a using a spreadsheet - spreadsheets are the most common way I have seen security risk assessments performed. However they need to be setup initially, are hard to manage, have version control and sharing issues. Companies I have worked at have not been willing to invest in a web application with a database that eliminates the need for spreadsheets. This app means they do not have to, it is accessible over the internet and on a mobile browser but still provides the flexibility of being able to customise and add attackers, vulnerabilities, change the scoring easily<p>I am mainly targeting the financial services industry as they have regulations like from the FFIEC in the US which requires risk assessments to be performed. Also small business who need to comply with risk assessment requirements in PCI-DSS, small penetration testing companies that need a simple way to risk assess their technical findings and cloud vendors that need an efficient way to present a risk assessment to their prospective clients.<p>My questions for the Hacker news community are:<p>- Do the problems I have described really exist?<p>- Does my application succeed in solving them or what could be improved?<p>- Would those 4 target audiences I describe above pay on a monthly basis for an application like this? Why or why not?<p>- Are there any technical problems with how I have implemented the risk assessment process within the application that could be improved?<p>This is to shape whether I put more time and money into developing this application or move onto something else. Thanks in advance.
======
rakkhi
Clickable link: <http://www.simplesecurityra.com>

