Where to advertise infosec services?
I have an idea for the infosec space to audit open source packages that companies depend on in their software solutions. As a developer myself at a large tech company, we just grab whatever is on npm and add it to our codebase without actually verifying that no one added a backdoor.
I want to sell auditing code services to companies interested in keeping their software backdoor free.
I am thinking about running an ad on Google, reddit, or a tech newsletter to get any biters.
Thoughts?
Audit by Spark Start
Trending on Indie Hackers
hi Kevin,
I would add : you can't really 'sell to companies'. These are entities, made of people. Different people in companies have different ways of finding, selecting and buying (or influencing the buying) of product.
I would advise bringing this whole process in a market map.
Do this for your specific market. (choose one to start in)
Start as focussed as possible (niche down) to become more interesting for potential interested buyers & users.
And when that has started to get traction, move to other/wider spaces.
don't fall in the trap to market to 'everyone' as that way no-one will feel themselves addressed.
You need to have a complete understanding of how your target market:
I am a firm believer in getting your prospects to know your offering and then help them buy it, instead of thinking about 'selling' it to them. Most people donot like to be sold to. But they like to discover new great offerings and when these meet their requirements they are ready to buy or send this information (influence) to the decision maker and lobby for your solution.
A good start to map out your buyers is:
https://www.buyerpersona.com/
And I would advise bringing all your data together in a 'market map' where you can have all these together.
I am a fan of miro (www.miro.com) to get all your market maps, buyer journey etc... in one 'whiteboard'
Without thinking in the best detail about the persons you are trying to serve, your results will not be as effective. The better you match their expectations, the more effective you will become.
Thanks for your tip! Honestly, after doing a bit more research in the space, I'm finding companies really don't care or this isn't a big problem for them. I think i need to close this idea and work for something new.
Thanks again for your thoughtful answer.
I've been in the Infosec world at Fortune 100 companies for many years now, and I can say that your assessment is true here, companies don't really care about this space. At least not yet. Caring about the open-source software is only something that companies who are very, very mature in the Application Security space (which is not many in the above group) have on their radar.
To add to this, most Infosec people do not possess strong AppSec knowledge. If you look at the arc of the profession of Infofsec, AppSec is relatively new sub-field and is often approached from a pen-testing/hacking standpoint or that it's developer problem that has to be fixed (i.e., we need to teach these devs how to do input sanitization so we can avoid SQLInjection attacks, etc.). While both are very important pieces of a comprehensive AppSec program, it's not all of it, and there is little interest in the code itself if it's not throwing out vulnerabilities from the automated code scanning platforms of the world like Black Duck.
99% of companies stop after they achieve the state above of having a way to "teach" developers, running the occasional pen-test on critical apps, and having app teams submit their code through automated testing tools on some frequency.
The companies who DO have that AppSec maturity level that goes beyond the 99% and is in lockstep with their development teams have governance controls and typically a whole open-source intake team that treats all open-source code as "hostile code." These teams use some measures of evaluating and determining if they can bring that in through a vetting process.
Those are the teams/people you would need to sell this to, but it's a really small space. Give it time though, and internal/external audit teams will start picking up on this and caring about it a lot more. That's why the aforementioned teams and companies will start caring more. Like it or not, Infosec at big companies is mostly regulatory and audit driven.
As someone in engineering leadership it sure feels to me like companies in that space do a massive amount of cold contact to directors, VPs, and CTOs of software companies. My email and LinkedIn inboxes are constantly bombarded by reps from these companies trying to set up a call to tell me why their tool is so much better than the tool my organization has already adopted. I’m not sure what other channels they use but that seems to be a big one.
these channels are hard to develop :-/
I think it’s just about volume. I’m pretty sure they just do an advanced LinkedIn search and send connection request with a template message asking to have a call to “learn more about [company] and some of the challenges you’re facing around [prodict noche]” to everyone who matches the search.
A quick web search for tools and services for infosec security audit for open source turns up several dozen options. I would start by making a list of existing tools, their strengths and weaknesses. Use that to identify where their may be opportunities.
Cyber security like many others in a company is an executive decision, approach companies where the executives are known to take proactive approach.
Unfortunately, the main issue with Infosec services are that many companies would only start to think about it after a breach and its often too late.
I totally agree with this. How do infosec services companies solve this problem? Is it really just slow growth for identifying and selling to infosec minded CTOs?
There are two ways to look at this, how do successful infosec companies get their customers and How do customers which care about cybersecurity reach out to infosec companies.
Successful infosec startup companies either have government contracts or have their own security products or both.
Fortune 500 companies employ large multinational BPOs for cybersecurity, which includes but not limited to infrastructure security, App security etc.
Since, you are thinking about auditing open-source packages I think you can start out by submitting vulnerability reports directly to maintainers, getting some reputation and then offering your services to the executives. But, long term goal should be your own security products(may be on the line of auditing itself).
wheres your audience?
Most infosec companies that I know in that space use a similar strategy:
They write blog posts about some of the findings their tools discovered and use said articles as evidence that their solution works.
It makes it a lot easier to communicate your value proposition.
Why not follow the companies on Twitter/LinkedIn and try to reach out to them directly? If you have proven the concept, then show the companies your value or better yet, reach out to specific management profiles.
I do not have a proven concept. :-/ Hence the need to get feedback.