At Yesware, we’re committed to providing our customers with the best possible services. We strive to make our products not just powerful, understandable and usable — but also secure, robust and manageable.
That’s why we’re proud and honored to share today that Skyhigh Networks has awarded us their highest CloudTrust™ rating of Skyhigh Enterprise-Ready. According to Skyhigh, the services selected for this rating must satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection. The initial selectees include some of the most trusted business services on the internet — a rather esteemed group.
To earn the trust of demanding enterprise customers, any service must demonstrate a commitment to keeping customer data safe. At Yesware, we make this commitment part of our regular processes: we triage bugs and issues into our agile development rhythm, our code reviews include checks for security flaws, we carefully consider encryption and attack vectors during architectural design, we’re transparent with our customers about how their data is stored and used, and so on.
And we’re constantly looking for new ways to step up our game.
We recently adopted a responsible disclosure policy for security issues. This is quickly becoming a “best practice” for security-minded companies. Basically, it means making a public statement that if someone points out a security issues while following sensible guidelines, then they will be treated with respect and gratitude. It’s sort of a formal way of saying, “hey whitehats, we’re cool if you are.”
Our policy asks that anyone who finds a security issue in our products should please let us know privately, and without exploiting the issue in a way that would cause harm. In return, we respond promptly and courteously, and we thank those who’ve helped us on our acknowledgements page.
Responsible disclosure policies have been appearing all over the web, on many of the biggest sites and most serious of services such as Facebook, Salesforce.com, PayPal, Zendesk, and others. Many of these have acknowledgements pages with long lists of contributors, and there are even multiple services popping up to help companies run their security issue reporting programs.
So far, we’ve had more than a dozen people contact us with issues. Some of them were simple mistakes, others were complex bugs with very specific triggers; some were good practices that we didn’t apply widely enough, or emergent browser features we weren’t taking advantage of; a few were false positives. All of them were instructive, as they were found using the same techniques and tools that real attackers, bent on stealing data and causing mayhem, also use. And every one was an issue that we could examine, research and fix with the benefits of time and deliberation — while not scrambling to defend — and with no damage done.
When we passed Salesforce.com’s App Exchange security review some time back, we felt pretty good that we’d built a product that could meet the approval of Salesforce’s very capable security professional. But security isn’t a one-time thing, and it isn’t a checkbox feature. As our customer base grows and our product matures, we will continue to seek out better ways to keep our customers’ data secure. We’ve worked hard to earn your trust, and we plan to keep at it. That kind of ongoing diligence is the only way to really be enterprise-ready.