October 11, 2024

Vanta’s progress on its pledge to CISA’s Secure by Design Initiative

Written by

Jadee Hanson

CISO

Jeremy Epling

Chief Product Officer

Reviewed by

Accelerating security solutions for small businesses
‍

Tagore offers strategic services to small businesses.

A partnership that can scale
‍

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors
‍

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

Vanta’s mission is to secure the internet and protect consumer data. Following the launch of the U.S. Cybersecurity and Infrastructure Security Agency (CISA)’s Secure by Design pledge on May 8, 2024, Vanta continues to reinforce our commitment to our mission daily as one of the first organizations to adopt CISA’s Secure by Design pledge.

‍

This pledge simplifies the implementation of best security practices for software companies—raising the bar for protecting customer data. It also encourages companies to demonstrate their progress in meeting each of the seven goals outlined in the pledge.

‍

As a security company, we’re constantly working to enhance our own security posture. We commit to providing regular updates on our status and commitments for each of the seven pillars of the Secure by Design framework. We welcome constructive feedback on how we’re meeting these pillars and look forward to sharing our updates throughout the year ahead.

‍

Our commitments

‍

Multi-factor authentication (MFA)

Vanta supports SSO for a secure and frictionless login experience, and also provides the options for Vanta customers using who use our standalone products (e.g. Vendor Risk Management and Trust Centers) to set up an SSO configuration independent of an identity provider API integration.

‍

In addition, to reduce the security risks of magic links—for instance, in the event that a user’s email account is compromised—Vanta is working on disabling magic links so that customers have the option to ensure that SSO-enforced MFA is the only way to access Vanta.

‍

Default passwords

Across our product, Vanta does not have default passwords—and whether next year or beyond, we pledge that we will not add the usage of default passwords across our product suite.

‍

Reducing entire classes of vulnerability

As highlighted at LocoMocoSec 2024 by Colleen Dai, Senior Security Engineer at Vanta, our Security Engineering team is working on creating paved roads for reducing entire classes of vulnerabilities. In addition, over the next year, we commit to working on increasing adoption of these patterns within our codebase.

‍

Security patches

Vanta’s SaaS application is automatically updated without user intervention. The optional Vanta agent also auto-updates under normal circumstances. In some cases, older agents are unable to automatically update themselves. Vanta pledges to identify out-of-date or unhealthy agents more proactively to let customers know they need to take action to update those agents.

‍

Vulnerability disclosure policy

Vanta commits to our Responsible Disclosure Policy, which provides a clear channel for disclosing and working to resolve potential vulnerabilities. Our Security Engineering team monitors and responds to each report to security@vanta.com, and we commit to responses within one week.

‍

In addition, we are excited to commit to launching a Bug Bounty Program in the next year, with clear, industry-standard program guidelines for testing by members of the public on Vanta’s products.

‍

CVEs

Within one year, Vanta commits to demonstrating transparency in vulnerability reporting by creating and following a procedural document that outlines the steps our Security Engineering team will take in the event that we uncover a vulnerability which would necessitate us to assign and issue a Common Vulnerabilities and Exposure (CVE) record for any of Vanta’s products.

‍

In addition, we commit to sharing updates on relevant impacts to our security posture in Vanta’s Trust Center to help foster a new standard of proactive and transparent communications for our industry—rather than rely on manual and time-consuming methods in the event of an incident.

‍

Evidence of intrusions

Our product Event Log feature includes a number of events that may be used for forensic investigations and identifying suspicious behavior. Over the next year, we are planning on adding additional metadata to events and identifying additional security-related events to include in reports. In addition, we are planning on adding the ability to query the Event Log using our REST API, making it easier to ingest that data into a customer’s SIEM tool and set up custom alerts.

‍

The Vanta Security team is also working with our Product Management team to suggest additional information to add to our Event Log schema to make it even more useful, such as adding data attributes like IP addresses, and providing more details on what data was changed for Edit/Update events.

‍

Looking ahead

To learn more, visit Vanta’s Trust Center where you can request access to security documentation, review Vanta’s security controls, and review commonly-asked questions.

‍

You can also learn more about the Vanta’ns behind the scenes—meet Vanta’s Enterprise Engineering, Security, and Privacy teams and understand how we work toward our security commitments and goals.

Access Review Stage	Content / Functionality
Across all stages	Easily create and save a new access review at a point in time View detailed audit evidence of historical access reviews
Setup access review procedures	Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems	Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta. Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS) Upload access files from non-integrated systems View and select systems in-scope for the review
Review, approve, and deny user access	Select the appropriate systems reviewer and due date Get automatic notifications and reminders to systems reviewer of deadlines Automatic flagging of “risky” employee accounts that have been terminated or switched departments Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section Track progress of individual systems access reviews and see accounts that need to be removed or have access modified Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners	Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access	Focused view of accounts flagged for access changes for easy tracking and management Automated evidence of remediation completion displayed for integrated systems Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results	Auditor can log into Vanta to see history of all completed access reviews Internals can see status of reviews in progress and also historical review detail