Security & Trust

You should trust us

CyberSystem has been designed and implemented by cybersecurity professionals who also happen to be SaaS web application security experts. We understand web application security and we understand the choices and trade-offs made by SaaS consumers, and the compliance requirements faced by your customers.

CyberSystem is brand new, but it has been designed from the ground up to have security and privacy baked in (a significant "shift left"). It is not practical to provide a functional SaaS solution implemented with zero trust, where all of your data is encrypted before it leaves your user agent, where the back-end of the system just stores entropy, and no-one but you has access to your data. That's the right design for password managers and secure cloud file storage, amongst other things, but significantly limits core capabilities of a SaaS solution, particularly in relation to collaboration between customers of the solution. CyberSystem is therefore not zero-trust, except where you choose to encrypt your files before uploading them to the system (something we encourage within the app, although we don't enforce it). You therefore rely on our policies, procedures, practices, and controls, to enforce the security and privacy of any (non-encrypted) data you provide to the system, and we completely understand and respect this. Indeed the system and the organisation are designed around respecting that.

Frameworks and certifications

It is normal to perform security and privacy assessments of SaaS solutions before subscribing and sharing data to those systems, and increasingly common to look for frameworks, attestations or certifications as independent verification of a SaaS service's security and privacy posture and credentials. It isn't feasible to attain any of these before launching your SaaS solution, and so we don't have any of those to show just yet.  However, we recognise the value of those and are on the path to SOC 2 Type I and then Type II. As security professionals we designed and operate CyberSystem and the broader business to be consistent with and quickly able to meet the appropriate trust services criteria and associated controls, and we in fact eat our own dog food, using CyberSystem to confirm our posture and readiness. There will be more to follow on this subject as we progress.

‍
Penetration testing

Yes, we were penetration tested by web application security experts before launch, against the OWASP ASVS standard, and all vulnerabilities were confirmed to have been remediated, and all hardening recommendations addressed. We are very aware of the inability to ever find 100% of all vulnerabilities and weaknesses, and a new application is under more or less constant development, so we pursue a much more aggressive penetration testing programme than most new SaaS solutions, even those offering cyber security related services.
‍

Bug bounty and responsible disclosure

We are soon to commission a bug bounty programme to encourage and reward crowd-source vulnerability discover and responsible reporting.  We understand that this is an important addition to commercial penetration testing, which is performed periodically, and however frequently is not continuous. We respectfully ask that if you discover a vulnerability or weakness outside of a bug bounty programme that you please contact us directly at [email protected] to share that information privately. Finally we emphasise that customers of the platform are not permitted to attack the platform, so please don't do that - we do not engage with beg bounty prospectors.

‍