Q: Do you have policy and procedure, currently implemented, managing how critical patches are applied to all systems and applications?
Yes. We maintain a rigorous Patch Management Policy to govern how we identify, test, and apply updates to all critical systems. Our process includes:
Monitoring: We actively monitor security bulletins and vendor notifications for critical updates.
Prioritization: Patches are ranked by severity (based on CVSS scores) and business impact.
Testing: Updates are validated in a staging environment to ensure stability before reaching production.
Deployment SLAs: Critical patches are deployed within 7 days, and high-severity patches within 15 days.
Compliance: Our process supports our ISO 27001 and SOC 2 compliance and is subject to regular internal audits.
Q: Have you implemented policies and procedures that guide how security risks are mitigated until patches can be applied?
Yes. We adhere to a documented procedure for Interim Risk Mitigation to secure assets when immediate patching is not feasible. Our process follows these key steps:
Immediate Assessment: The security team assesses the exposure and business impact of the vulnerability.
Compensating Controls: We implement temporary controls to reduce the attack surface, which may include:
Restricting network access or tightening firewall rules.
Disabling non-essential services or vulnerable features.
Deploying virtual patches via WAF (Web Application Firewall).
Enhanced Monitoring: The affected system undergoes heightened logging and alerting to detect exploit attempts.
Documentation: The delay is formally recorded in our Risk Register, including the specific mitigation plan and expected resolution date.
Q: Has the application or solution been penetration tested? Can we have insight into the results or report? Do you allow penetration testing by customers? How do you identify and patch vulnerabilities? What is the timeframe for patching known vulnerabilities? Which security controls are in place to protect against OWASP Top 10 risks?
Security Testing & OWASP Protection
We ensure the resilience of the Xoxoday platform through rigorous testing and enterprise-grade defense mechanisms.
Penetration Testing (VAPT)
Frequency: Annual (conducted by an independent 3rd party).
Reports: Available upon request (NDA required).
Customer Testing: Allowed with prior authorization.
Vulnerability Resolution
Detection: Automated scans + manual VAPT.
Critical Patches: Released weekly.
Feature Updates: Released monthly.
Defense Against OWASP Top 10
Network: Cloudflare WAF & AWS GuardDuty.
Data: Full SSL/TLS encryption.
Access: IP Whitelisting, SSO, and MFA enforcement.
Q: Do you regularly scan for common web application security vulnerabilities (e.g., SQL injection, XSS, XSRF, etc.)?
Yes. Xoxoday routinely performs automated and manual scans for common web application vulnerabilities, including but not limited to SQL injection, cross-site scripting (XSS), and cross-site request forgery (XSRF). These are conducted using industry-standard tools and are supported by internal monitoring and mitigation protocols as part of our continuous compliance program.
Q: Will you allow the institution to perform its own vulnerability testing and/or scanning of your systems and/or application, provided that testing is performed at a mutually agreed upon time and date?
Yes. Xoxoday allows partner institutions to conduct their own vulnerability scans or penetration tests on its systems, subject to prior notification and mutual agreement on the scope, time, and date. This ensures security compliance while avoiding any disruption to platform performance or availability.
Q: Are your systems and applications scanned with an authenticated user account for vulnerabilities before new releases?
Yes, our systems and applications are scanned for vulnerabilities using authenticated user accounts before new releases. The process includes static and dynamic code analysis, vulnerability scans, and penetration testing, with all identified vulnerabilities remediated based on severity and in accordance with predefined timelines. These steps are outlined in our Threat and Vulnerability Management Procedure to ensure a secure release cycle.