Our team has been crushing it on our https://securityprogram.io platform. We’re building neat features, and our customers are getting a lot out of it. I’m hoping we can release some of the case studies we’re working on soon! This post describes some of the recent advances in the tool.

User Auditing

An important thing to do for security is to track who has access to what and make sure it reflects the correct designation of duties. Often, companies may see a person leave and never revoke their access. A user audit ensures that these types of situations are detected and remediated.

It is possible to do user auditing by hand, but it can be a pain. You have to know how to get to the reports from each different system, and you have to remember to do it every month.

In SPIO, we now make this easy for GitHub and AWS, with Google Apps and Azure/O365 support on the way. Here’s how it works:

  1. You provide a way for us to read your directory (we encrypt all creds with customer specific keys)
  2. We read it monthly and present you with a screen to approve
  3. We provide a complete view and a diff view to make it easier

Here is an example from AWS, where you can see for each user what groups they are in and what policies (both managed and inline) are directly attached to them.

AWSUserAudit

The process is to review the access levels and confirm that everyone has the right level of privileges. By unifying the UI for this across the most common platforms, we make it much easier to do this important security program task!

GitHubUserAudit

This shows how you see differences and how the interface is consistent between the systems you are auditing.

Here you can see what it looks like when the auditing is up to date.

UserAudit

Friendliness - Tours, Articles and Help

Friendliness is a core value at Jemurai.

Although we understand what we’re thinking (mostly) with securityprogram.io, we realize that there are a lot of new ideas and industry jargon for users that aren’t well versed in security - which is our target audience!

So we added product tours for things like the Risk Register and the Vendor Tracker. What is it? How do you use it? What do the fields mean?

We also added articles for deeper context. Articles provide background like Why is this important?

We also added in app support via Intercom. This allows users to ask for help and get it in near real time while they are in the application!

Task Tagging

SPIO captures important tasks you need to do to build a security program. Within the tool, we tag tasks and allow you to filter your views based on these tags. By doing this, you can identify and zero in on the tasks that you most want to see. For example, filter to simple program and get the 20 things we think should be part of every simple program. Alternatively, you search for cis 20: or even cis 20: control 13 to see only tasks covering specific standards, areas, or controls you care about.

We expect to add more detailed mapping to NIST CSF, FERPA and other standards to make reviewing tasks in context really easy.

Training

In addition to the core Security Awareness Training and Policy related training that we already had, we released training for:

  • Introduction to the OWASP Top 10
  • Threat Modeling
  • Privacy and Data Handling

Did I mention that the training is built right into the platform and can be tracked right on the dashboard?

A Look Ahead

The things we’re working on now include:

  • User Audit for Google Apps and Azure.
  • Maturity model.
  • Tagging for NIST CSF and FERPA

We’d love to hear from you about what you think we should do next!

Matt Konda

Matt is a software engineer. He's our CEO and former Chair & OWASP Board Member.

Want to stay up to date with the lastest from Jemurai?

Sign up for our monthly newsletter!