I'm the other cofounder. That's something we're working to alleviate concerns for - we've added hackersafe and verisign (and truste's on the roadmap) so the data is secure and the session is encrypted. It's definitely something we want our users to be comfortable with, and something we're working on.
You probably want to be careful about how you word "we've added HackerSafe" to corporate customers. I will say the following things:
* "Off-the-shelf" scanner-based certifications are not held in uniformly high esteem by companies with IT security groups.
* HackerSafe just won the Pwnie award at Black Hat for "Lamest Vendor Response".
* Talking about how you have a security SDLC, code reviews, and secure architecture will offer much bigger warm fuzzies to customers.
Also, avoid blanket statements like "so the data is secure". Marketing 101. If you're going to invite objections, make sure they're objections you want to deal with, not ones where you'll eventually have to concede.
My bad, forgot I was talking to the hacker news crowd. The point I was trying to make is that we understand that it's a trust issue, and we're taking the steps we need to get that trust.
People buy into Hackersafe for many reasons, including the fact that a Hackersafe badge and customer link will boost your Google pagerank (this was the case last year, but google is always improving).
Also the little green badge does slightly improve conversion rates for marginal and otherwise unknown ecommerce sites.
So Hackersafe can be some good marketing, even if it's rather a joke from the standpoint of what they check for (if you fail their scan, you really fail; passing tells you little).
Right. But my actual concern was not that a middleman is snooping, but the concern of giving the data to ididwork.com. Its not that data is not secure, but I think companies might be just simply paranoid(for no reason maybe). A hosted solution within thier control might be one of the solutions. Again, might be people are ok with that and its just my thought.
I think this is something that can be solved with trust and good customer service. Too many times people look to the technological solution because thats what they know. But people give sensitive information out all the time. If they trust you and know who you are and know you've got their back, they'll be more than willing to work with you.
Having the customer host a complex web application is likely going to be less secure then a hosted solution.
Consider the customer has to manage the code, applications that support the code (mysql, apache), manage the web server, and manage the physical security of the web server.
Absolutely, and corporations will never in a million years understand that, and they're willing to pay ten to twenty times as much for a "secure" internally-installed app (when you include the price of hardware, consultants, etc.)
