We're getting drowned by security checklist by clients now.
A lot of them don't make much sense for us, we primarily make a Win32 B2B program hosted by these customers themselves and a lot of the checklists are all about more generic web SaaS things (because we charge like SaaS). But the person on the other end wants all the questions answered regardless.
Seems that as long as you can put a checkmark in a box that you follow various "best practices" and whatnot, actual details don't matter. You put a checkmark in a box, you did your best.
From being on the buying side, it's likely that the person sending you that questionnaire knows a lot of it is irrelevant to your situation, but they're personally reviewing 100 vendors this year (no, seriously) and there aren't enough hours in the week for them to make exceptions for everyone.
Very often the best answer would be like:
> Q: Do you use multi-tenant databases?
> A: N/A: you'll be deploying our product on your own server.
That's actually a perfectly fine answer! The person reading it doesn't have to explain large gaps in the answers to their boss. It documents why this isn't relevant in a way their successor can easily understand next year when they're reviewing those 100 vendors as part of their annual Vendor Management Policy™ process.
You can write whatever you want. Nobody is ever looking at that document again. By the time the annual process rolls around the process has already changed so much that it's now insufficient. The mandate from management will be to "do it right for future vendors, but blanket approve the previously signed agreements"
It's the same thing every time because the actual security is in the details, but details are so fucking boring.
I get it! I’ve been on both sides of that table many times.
If you see the same questions over and over and over again, consider filling out a SIG LITE questionnaire and offering that to buyers from the start. If you can give them all or most of the info they need in a common format, you might be able to head off a lot of follow-up questions.
FWIW from my own experience with auditors, the process is really kind of superficial. Yes, they can identify the most common checklist-based gaps, and that's what tends to be the low-hanging fruit for attackers as well. But they would never go deep enough to identify something that a determined attacker could exploit.
A lot of them don't make much sense for us, we primarily make a Win32 B2B program hosted by these customers themselves and a lot of the checklists are all about more generic web SaaS things (because we charge like SaaS). But the person on the other end wants all the questions answered regardless.
Seems that as long as you can put a checkmark in a box that you follow various "best practices" and whatnot, actual details don't matter. You put a checkmark in a box, you did your best.