Raves (go to Rants)

My hat's off to Brivo Systems (www.brivo.com) for being the first hosted service company (to my knowledge) to pay serious attention to the secure engineering of their hosted service offerings. By the fall of 2009, Brivo had received both the SAS 70 Type I and II certifications. These are based upon the standards established by the American Institute of Certified Public Accountants (AICPA), which assures customers that a service provider's controls and processes provide reasonable assurances of service levels and data security.

Brivo's SAS 70 audit was performed by the SC&H Group, LLC of Sparks, MD. This sure beats the "we have smart people in our company and that's why our product is secure" type of line that's common from some manufacrurers at trade shows.

For some good insight on cloud-based services check out Brivo's blog. It contains.some serious food for thought, including the article Do You Trust Your Cloud by Brivo's Executive Vice President, Business Development, John Szczygiel.

PlaSec (www.plasecinc.com) has a long standing engagement with Veracode (www.veracode.com), a market leading IT company that tests the security of Independent Software Vendor (ISV) applications. PlaSec has achieved the VerAfied rating which means that none of the OWASP Top 10 or CWE/SANS Top 25 vulnerabilities were found in the software.

“Customers are demanding independent proof that the software they are purchasing is secure,” said Matt Moynahan, CEO of Veracode. “Given the rapidly growing threat posed by insecure software, PlaSec has established a leadership position in the market by demonstrating the security quality of their solution through Veracode's SecurityReview^® service. Customers have a choice when making software purchasing decisions and achieving the VerAfied security mark provides a unique differentiator for PlaSec and shows their deep commitment to responding to an increasingly important customer concern.”

PlaSec has taken other smart engineering steps as well, meaning that utilizing the Veracode service is only part of the full attention PlaSec is giving to application and system security.