>>>>>what kind of security process is there to insure no cyber threats?
>>>
>>>Dmitry, not sure what services you plan to provide. Will you be hosting customer data? Or is he concerned you might distribute apps carrying virus or other payload? Will you have remote access to his servers or systems?
>>>
>>>I have customers with very strong security concerns, especially after embarrassing and expensive breaches by competitors. I'd advocate a 3 pronged approach:
>>>
>>>1) Apps: do you have a signing certificate? Signing ensures that viruses and other sneaks can't quietly latch onto your work. Windows makes it easy for the customer to validate the signature to ensure that the app hasn't been altered since you compiled it.
>>>2) Infrastructure: internally you have standard firewalling routers with most ports closed, proven paid security software on all machines inside the firewall, and all the standard security measures. Regular scans etc etc. Does he have anything specific that he'd like to see? Otherwise you're sufficiently confident that if he'd like to send a security consultant to overview, you're more than happy to host them.
>>>3) Remote Access: if involved, you do need some sort of policy involving access so that malicious people can't use you as a Trojan Horse into their systems. If they're very concerned, you might suggest use of Gotomeeting sessions where his own staffer gives you control of his screen so you can do your work under supervision. The Gotomeeting sessions are one-offs with no other access into his system. Offer it as an option if there's particular sensitivity, otherwise standard password management for remote access.
>>>
>>>My experience so far is that people want to see that you've thought about these things and have protective policies, rather than que sera sera.
>>
>>First, thank you for your input. I am not hosting the data; everything is on the customer site. I think I will take from your input the items such as
>>-- internally you have standard firewalling routers with most ports closed
>>-- proven paid security software on all machines inside the firewall
>>-- Regular scans etc etc
>>
>>I think the biggest issue that this guy sees is that I am a one-man shop. And I understand him. Others see it too buy choose to close their eyes because I am cheap and provide good services. We will see.
>>Thank you.
>
>You've received some good specific advice so far but I'm not sure I'd go that route, I'd be more general. If you're talking with a "Director of Development Security", chances are they're technically astute. I'd avoid offering specific suggestions unless you're able and willing to follow up on them.
>
>Things you can say:
>
>- It's impossible to ensure "no cyber threats". Mr. DDS has to concede that point. He may even be expecting you to know that
>
>- Their environment, and access methods to your app (internal/LAN vs public internet/VPN) must already be demonstrably secured (equipment and people), to a level appropriate to the value and sensitivity of the data and other resources that must be protected. Your app cannot and will not mitigate any existing deficiencies in that environment, unless it's replacing one already known to be insecure
>
>That said, assuming their environment is well-secured, there are a few things they're likely to want to know about your app:
>
>- Does it have built-in security (e.g. SQL Server-based) and/or can it be integrated with Windows authentication in a Windows environment? How granular is the security when managing access to sensitive data?
>
>- Is there any hard-coded backdoor to your system?
>
>- Do you use best practices to mitigate common attacks such as SQL injection?
>
>- How easy is it to back up your data, and can that be automated/enforced?
>
>- Do you expect and support components being updated or patched regularly e.g. SQL Server, support libraries etc?
>
>- Has your app proven reliable for long periods of time and/or under heavy loads? Can you provide references for that?
>
>If he's looking for anything like ISO cyber security standards/compliance I'm guessing you won't be able to offer that ;) If he wants to dive into technical details, you could say that details depend on the exact method of installation and access methods to your app within their environment. You don't know what that's likely to be. In that case he could provide you with an installation proposal, which he and/or someone you hire could evaluate.
>
>Definitely avoid giving promises about any technical details you don't fully understand.

Thank you for your input. I think that he - the guy who asked the question - mainly concerned with my company's protection from cyber threat, not the product. My product there is their responsibility, as far as firewall and other security measures.