We wrote this for CTOs since prior to hiring a dedicated security engineer, security responsibilities in a company often fall to the CTO. But really, any more technical person in a company with some ownership or interest in security can leverage this.
- Including an overall alert status red/yellow/green.
- Critical issues rise to the top somehow for the team's attention.
- Mechanisms and best practices for reporting security issues.
- A knowledge base linking to relevant articles on each topic.
- A button must be pressed to say that backups have been tested, failing to do so raises alert level.
- Team members jointly contribute ratings out of 10 for the companies security practice in each checklist item
- Team discussions/actions/priorities.
- Register your companies tech stack with the service and it sweeps the net for security reports about stuff that you use.
- Integrate ansible to gather information about the versions of the software you are using and issue dashboard alerts when stuff in your software stack is vulnerable to attack.
- $5,000/month
- database lives on client site
etc etc
Don't know why I give these ideas away for free. Maybe I'll get onto building it!
I did - early beta. Based on my experience as CISO for SaaS a well as running security engineer team at a Fortune 5 company, performing Tier 1 PCI DSS, NESA, scans, etc https://joinsecurekit.com/
Then gamify it so that all the technical people in the team can each give their independent rating of how the company performs on each checklist item.
Then give each checklist item and owner and assign action items, status and followup discussion.
The outcome of that is something the CTO would be interested in because it would be a dashboard with accountability.