Compliance Scorecard makes Secure by Design Pledge
At Compliance Scorecard, security is embedded into every stage of our development lifecycle. Drawing on nearly two decades of experience creating web-based SaaS applications for the federal government, we prioritize Secure by Design principles to ensure that MSPs and SMBs are protected against emerging threats. Here’s how we align with key CISA Secure by Design goals:
Principle 1:
We Take Care of Our Part of Customer Security
Multi-Factor Authentication
- Goal: Increase the use of MFA across our platform within one year.
- Our Commitment: MFA has been mandatory for all Compliance Scorecard users since its inception. We enable MFA by default, ensuring that both users and administrators configure this crucial layer of security. We also support standards-based single sign-on integration with identity providers to enhance security with minimal friction.
- Progress Measurement: We regularly review statistics on MFA adoption across different user types and highlight where phishing-resistant MFA is used. Our efforts to increase MFA enrollment ensure a stronger defense against password-based attacks.
Principle 2:
We Commit to Transparency and Accountability
Vulnerability Disclosure Policy
- Goal: Publish a vulnerability disclosure policy (VDP) within one year.
- Our Commitment: We are finalizing a transparent vulnerability disclosure policy that welcomes good-faith vulnerability reports from security researchers. This policy ensures the VDP provides a clear path for disclosure in line with best practices.
- Progress Measurement: We will publish our VDP and update it as necessary, documenting lessons learned and improvements based on research findings.
Principle 3:
Our Leadership Team Commits to Direct Oversight
Security Initiatives Led from the Top
- Goal: Ensure that leadership is directly accountable for the security of our platform.
- Our Commitment: Our CEO takes direct responsibility for overseeing the security posture of Compliance Scorecard. This includes leading strategic security initiatives, driving adoption of Secure by Design practices, and aligning with CISA and industry best practices. Security will be integrated into our processes at every level, from product development to customer support, ensuring a top-down commitment to safeguarding client data.
- Progress Measurement: We will publish quarterly updates from our leadership team, highlighting security initiatives, progress on Secure by Design goals, and key metrics like vulnerability reduction and patch deployment. In addition, we will track and report security-related milestones achieved under direct oversight from the CEO, ensuring transparency and leadership accountability.
Principle 4:
We Care About Your Your Passwords
Avoiding Default Passwords
- Goal: Reduce the use of default passwords across our product lines.
- Our Commitment: We have eliminated the use of default passwords. Instead, we require strong, unique passwords for each user upon installation, following CISA’s guidance.
- Progress Measurement: We track updates on the number of customers transitioned from default passwords to secure authentication mechanisms, ensuring that no product shipped with exploitable defaults.
Principle 5:
We Commit to Transparency
Reducing Classes of Vulnerability
- Goal: Measurably reduce the prevalence of specific classes of vulnerabilities.
- Our Commitment: Compliance Scorecard consistently applies secure coding practices, including parameterized queries to prevent SQL injection and frameworks to block cross-site scripting.
- Progress Measurement: We will maintain an internal list detailing our progress in reducing vulnerabilities, alongside an analysis of the root causes and trends in our vulnerability reports (CVEs).
Principle 6:
We Commit to Patch Management
Simplifying Security Updates
- Goal: Increase customer awareness of security patches within one year.
- Our Commitment: We provide ongoing reviews and updates for security patches in our SaaS offerings, relieving customers from the burden of manually patching their environments.
- Progress Measurement: We track statistics on CVEs, highlighting improvements and areas where further reduction in risk is needed.
“By signing the Cybersecurity and Infrastructure Security Agency (CISA) SecureBy Design Pledge we reaffirm our commitment to ensuring the security of our customers is a fundamental business priority; safeguarding the digital landscape for MSPs and their clients.”
Tim Golden, CEO, Compliance Scorecard
Discover the SaaS Governance Platform designed for MSPs.
Compliance Scorecard simplifies policy management for MSPs.