As a new business looking to reinvent the way people interact on legal matters, Canyon understands that security — including attorney-client privilege — is a top priority for their users. Their plug-and-play contract management software connects with existing tools and workflows, including Google Drive and Gmail, and centralizes legal data in a single location to enable multiple teams to seamlessly collaborate on business-critical projects. Given the sensitivity of the data they manage and the collaborative nature of their LegalOps platform, they needed to ensure that their systems provide enterprise-class security.

With these goals in mind, Canyon wanted more than a check-box assessment when it came to validating their security posture and fulfilling the security requirements for Google’s partner program. However, with Google’s deadline fast approaching, they needed a security provider that could deliver a thorough assessment in under a month.

Having never worked with a third party on this type of security assessment, the Canyon team worried that the experience would be slow and cumbersome – so they sought an agile partner that could deliver an efficient engagement and provide them with guidance throughout the process. After speaking with several Google-approved providers, they selected Bishop Fox for their security assessment.

"Bishop Fox was the most empathetic when it came to our context and need for speed, while offering a compelling package.”

– Adrien van den Branden, Co-founder and CEO, Canyon

Canyon engaged Bishop Fox to assess the security of their application, external perimeter, and Amazon Web Services (AWS) cloud environment, and review Canyon’s responses to Google’s required Self-assessment Questionnaire (SAQ).

Specifically, Bishop Fox was tasked with:

• Assessing the overall security of the Canyon web application
• Identifying vulnerabilities on systems and services exposed on the external network
• Performing a cloud security review of the AWS environment
• Identifying any missing policies, defensive mechanisms, or processes that could threaten the global security posture of the organization and be used to access Google user data
• And verifying that Google’s security requirements are met
  

Actionable Insights Led to Improved Security

The engagement consisted of three key parts: an application penetration test, an assessment of the external perimeter, including a cloud security review, and an evaluation of Canyon’s Self-assessment Questionnaire.

During the web application assessment, the Bishop Fox team discovered two issues with how the application handled untrusted inputs. The issues, though important to flag, were straightforward to address. Armed with detailed remediation recommendations, the Canyon team was able to rapidly implement the fixes.

"The Bishop Fox security consultants have brought critically interesting insights on the security of our systems, which has enabled us to improve them in very actionable ways."

– Adrien van den Branden, Co-founder and CEO, Canyon

Bishop Fox’s review of Canyon’s AWS environment and external attack surface determined that Canyon was maintaining a small external footprint and consistently following industry best practices for a secure infrastructure configuration.

Finally, through an analysis of Canyon’s SAQ responses, the assessment team determined that Canyon deployed effective security practices, which greatly enhanced the organization’s global security posture.

Rapid Results Without Compromising Quality

The engagement – from kick-off to remediation – took only two weeks to complete.

The Canyon team invested the time up front to prepare documentation around their policies and infrastructure, which allowed Bishop Fox to hit the ground running. Their efforts paired with Bishop Fox’s extensive experience delivering Google Partner security assessments and providing thorough reports with actionable recommendations allowed Canyon to meet Google’s security deadline and continue to leverage Google’s various APIs, an essential component of their business.

“The whole Bishop Fox team has been very reactive and professional, often exceeding our expectations in terms of turnaround time to submitting (revised) reports. The whole project was practically delivered in the course of 2 weeks, although we had planned a month for it.”

– Adrien van den Branden, Co-founder and CEO, Canyon

For Canyon, the engagement went beyond just meeting Google’s partner program requirements. Serving a target market of enterprise clients, they understand that robust security is an important differentiator for their product. The results of the engagement gave them the confidence that they were indeed delivering on their promise to provide enterprise-class security and compliance for their customers.

“The engagement not only increased our confidence in our systems but is also proving very valuable in discussions with prospects.”

– Adrien van den Branden, Co-founder and CEO, Canyon

About Canyon

Canyon is a plug-and-play contract management software that integrates seamlessly with your existing tools. No disruptive process change. No lengthy implementation. Simple and ready-to-use.