SafetyDetectives Spoke with Jason H, the CTO and CISO of Varyence, about compliance, cybersecurity, and how companies can keep up with the latest constantly evolving cyberthreats.
Hi Jason, thank you for taking some time for us today. Can you talk about your background and what motivated you to co-found Varyence?
During my years of working with tech startups, I’ve witnessed many founders fail due to a lack of technical leadership, bad development teams, and a failure to focus on crucial business fundamentals. As a Technical co-founder, I’ve learned valuable lessons and successfully turned tech ideas into profitable companies.
My passion lies in sharing my experiences and helping non-technical founders avoid the challenges I faced. With over 20 years of IT experience across startups and Fortune 500 companies, I’ve gained expertise in software development, cybersecurity, and cloud infrastructure – all crucial to the success of a tech startup.
As a CTO (Chief Technology Officer) and CISO (Chief Information Security Officer) for many of our customers, I particularly have a passion for helping non-technical founders achieve success with their SaaS startup ideas. My primary objective is to help startups avoid common pitfalls and realize the full potential of their business idea. Recently, I’ve been excited to integrate Open AI into many of our customer projects, using the power of Generative AI to enhance their platforms and deliver more value to their users. It’s been an exciting journey, and I look forward to working with more startups to bring their ideas to life.
What are Varyence’s primary services, and what makes it unique?
At our company, we specialize in assisting non-technical founders of SaaS startups with a range of core services such as custom software development, cloud infrastructure, and cybersecurity solutions.
Our team is primarily based in our Western Ukraine office, but as a US-founded company, we provide a US-style management structure and technical leadership. What sets us apart is our proven track record of helping SaaS startups transform their ideas into successful and profitable companies.
We take pride in going beyond development by also offering an investment fund for startups we are involved in, ranging from $50k to $250k. This way, we help our clients not only with the development of their product but also as investors in their startup.
How does your team ensure that its software development processes are secure and compliant with relevant regulations?
Our company’s Secure Software Development Lifecycle policies, as well as our policies on Security Governance, People Security, Operational Security, Data Security, Application Security, Network Security, Third-Party Vendor Management, and Regulatory Compliance & Privacy are all available on our website.
In accordance with SOC 2 principles and guidelines, we implement robust application security measures to ensure the safety and integrity of our clients’ data. Below are some of the ways we accomplish this.
- Secure Software Development Lifecycle
Standard best practices are used throughout our software development cycle from design to implementation, testing, and deployment. All code is checked into a permanent version-controlled repository. Code changes are always subject to peer review and continuous integration testing to screen for potential security issues. All changes released into production are logged and archived, and alerts are sent to the engineering team automatically. Access to Varyence source code repositories requires strong credentials and two-factor authentication (with number matching).
- Secure By Design
All features are reviewed by a team of senior engineers as soon as they are conceived. Members of the Varyence team have substantial experience working with and building secure technology systems. We plan all functionalities with security in mind to protect the platform against security threats and privacy abuses. We leverage modern browser protections to prevent Cross-Site Scripting (XSS), Clickjacking and other code injection attacks resulting from the execution of malicious content in the trusted web page context.
- Security Testing
Once features are implemented, we perform internal security testing to verify correctness and resilience against attacks. We follow the leading Open Web Application Security Project (OWASP) Testing Guide methodology for our security testing efforts. Discovered vulnerabilities are promptly prioritized and mitigated. In addition, we regularly engage top-tier third-party security companies to independently verify our applications.
What measures do you have in place to protect your client’s sensitive customer data?
Protecting customer data is one of our top priorities at our company. Many of our clients are required to comply with strict regulations such as SOC 2, HIPAA, GDPR, ISO, and SOX, so it’s critical that we operate in a compliant manner. We offer a compliance service to help our customers achieve and maintain compliance with these regulations.
To ensure the security of our operations, we’ve implemented SOC 2 and HIPAA policies and procedures. We provide our Security Policies on our website, covering topics such as Security Governance, People Security, Operational Security, Data Security, Application Security, Network Security, Third-Party Vendor Management, and Regulatory Compliance & Privacy.
At our company, we believe in transparency when it comes to our security practices. We’re committed to helping our customers understand our approach and the steps we take to protect their data.
How can a company stay up-to-date on the latest cybersecurity threats and vulnerabilities?
We suggest our clients subscribe to cybersecurity mailing lists, such as those provided by the Cybersecurity & Infrastructure Security Agency (CISA.GOV), to stay informed about the latest threats and vulnerabilities. In addition, we encourage our clients to use our regular vulnerability scans and penetration testing services to identify potential vulnerabilities and address them before they can be exploited by malicious actors.
Keeping software and systems up-to-date with the latest security patches and updates is also crucial. Many cybersecurity threats and attacks take advantage of known vulnerabilities that could have been prevented with timely updates. We implement Mobile Device Management Cybersecurity services to prepare our customers for compliant audits and to help protect their laptops and mobile phones from phishing attempts, viruses, malware, and other threats.
Furthermore, we recommend that organizations provide regular security awareness training to their employees to help them recognize and respond to potential threats. This includes phishing simulations, password hygiene best practices, and other security awareness topics. We offer security awareness training as part of our implementations for customers preparing for compliance audits.
By being informed and proactive, organizations can minimize the risk of falling victim to cyber-attacks and protect their sensitive data and assets.
What are the biggest cybersecurity threats facing small and medium-sized businesses?
According to the FBI Internet Crime Report and based upon our Cybersecurity experience, email phishing attacks are the most common type of cybercrime. The good news is there are preventive measures that can be implemented to protect your business data and users. For example, we recommend implementing Safe Link services to protect users from clicking on malicious links and mobile device management security to protect against viruses and malware. In addition, employee security awareness training can help users identify and respond to potential threats, including phishing attacks. By taking these proactive measures, you can minimize the risk of cyber-attacks and protect your sensitive data and assets.