Forums

We have a client that is a major German manufacturer and they are conducting an IT Security audit on us at the moment

We've just had notification that we've failed the audit

One of the failing points is:

• Has the cloud service supplier provided assurance documentation? (E.g. SSAE-16 / ISAE 3402 ,SOC 2,3, CSA - STAR - Self Assessment, Attestation, Certification, ISO27001)

Even if you don't hold the certification they are asking for, it would be really helpful if you could elaborate on your approach to security to reassure them that their data is safe in your infrastructure

Of course I can describe all the things I do in the application but I'm unable to reassure them about the underlying infrastructure

Hopefully

Peter

We don't have any specific documentation like that, though this page describing AWS's security documentation will probably be helpful.

Regarding our own security: each PythonAnywhere account runs all of its code inside a virtualized sandbox, using code based on Linux containers -- essentially the same foundation as Docker, but a different implementation. This stops different accounts from accessing files and data belonging to other people. For account security, we provide two-factor auth and other security mechanisms. And we also have a bug bounty program, which helps us keep the service safe by incentivising security researchers to report any issues to us.

We are applying for CyberEssentials Plus and have some additional requirements that we need to report on?

• Do you have CyberEssentials Plus yourselves?
• Do you have CyberEssentials Plus yourselves?
• Are auto updates in place for patches etc?
• How do you ensure all high risk or criticval security updates are applied within 14 days of notification?

Thanks for your help

No, we do not have CyberEssentials Plus. We do not apply patches automatically. We keep an eye on CVE lists and decide which have a possibility of being an issue and then apply the ones that are necessary.