Application,Dev & Security
Questions
Answers
How do you continuously monitor and report the compliance of your infrastructure in accordance to industry best practises (i.e., OWASP, SANS, SOC, ISO 27001)
We take steps to securely develop and test against security threats to ensure the safety of our customer data. We maintain a Secure Development Lifecycle, in which training our developers and performing design and code reviews takes a primary role. In addition, Xoxoday employs third-party security experts to perform detailed penetration tests on different applications. In addition to the security components provided by our top-level cloud providers AWS, Xoxoday maintains its own dedicated controls by following the Industry best practices. These controls cover the DDoS attack, DB protection and a dedicated web application firewall, as well as network firewall fine-grained rules configured using the highest industry standards.
Have you implemented backup or recovery mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements?
Data backups are done daily and in a secured way in AWS
If using virtual infrastructure, does your cloud solution include independent hardware restore and recovery capabilities?
We are using AWS VIrtual patform cloud. We have created an Amazon CloudWatch alarm that monitors an Amazon EC2 instance and automatically recovers the instance if it becomes impaired due to an underlying hardware failure or a problem that requires AWS involvement to repair. EBS Snapshot functionality allows us to capture and restore virtual machine images at any time.
Does your infrastructure environment solution include software/provider independent restore and recovery capabilities?
The infrastructure environment solution include software/provider independent restore and recovery capabilities.
Do you test your backup or redundancy mechanisms at least annually?
Data backups are automated and done daily in a secured way on AWS. Yes. We test the dats backup or redundancy mechanisms at least annually.
Do you test your applications before they are promoted into the Production environment? What types of testing do you perform on your application and codes?
We have SDLC Policy as per ISMS requirements and we follow General Coding Practice. For example - We Conduct data validation on a trusted system, All cryptographic functions used to protect secrets from the application user. We also conduct the code review and vulnerability assessment and penetration testing. We follow a blue-green deployment strategy for deployment of changes to the production environment that allows us to introduce new changes without any downtime and provides us the option to roll-back without impacting any existing users. Typically for routine deployment of enhancements we do not require any downtime.
Do you have a defined quality change control and testing process in place based on system availability, confidentiality, and integrity?
Yes, changes to the production environment are documented, tested, and approved prior to implementation. Production software and hardware changes may include applications, systems, databases, and network devices requiring patches, service packs, and other updates and modifications.
Do you have controls in place to ensure that standards of quality are being met for all software development?
We have implemented the SDLC Procedure and standards of quality are being met for all software development.
What controls do you have in place to detect source code security defects for any outsourced software development activities?
We have not outsourced software development activities. Our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase.
Are mechanisms in place to ensure that all debugging and test code elements are removed from released software versions?
All debugging and test code elements are removed from released software versions.
Do you have technical measures in place to ensure that changes in production environments are registered, authorized and in adherence with existing SLAs?
Yes, changes to the production environment are documented, tested, and approved prior to implementation. Production software and hardware changes may include applications, systems, databases, and network devices requiring patches, service packs, and other updates and modifications.
Do you monitor and log privileged access (e.g., administrator level) to information security management systems?
Yes. We monitor the logs.Application and Infrastructure logs are also centrally collected and backed up in a secure manner for internal development and other relevant audit-related concerns
Do you have an identity management system (enabling classification of data for a customer) in place to enable both role-based and context-based entitlement to data?
We have role based access system to make sure that only the authorised individual have an access to the required information.
Do you provide customers with strong (multifactor) authentication options (e.g., digital certs, tokens, biometrics, etc.) for user access?
we don't provide multi-factor authentication. As of now, there's oAuth2.0 and SAML-based tokens. JSON-based token is available for maximum security direct-email logins.
Do you allow customers/customers to define password and account lockout policies for their accounts?
It can be configured with Active directory.
Are access to utility programs used to manage virtualized partitions (e.g. shutdown, clone, etc.) appropriately restricted and monitored?
These access has been restricted and also monitored for security reasons.
Are changes made to virtual machines, or moving of an image and subsequent validation of the image's integrity, made immediately available to customers through electronic methods (e.g., portals or alerts)?
Audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions. We provide logs to the customer on need and approval basis.
Do you restrict personnel access to all management functions or administrative access based on the principle of least privilege and supported through technical controls (e.g., two-factor authentication, audit trails, IP address filtering, firewalls and TLS-encapsulated communications to the administrative consoles)?
Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access events. We use MFA, Firewall, VPN, active directory etc for maximum security.
Do your network architecture diagrams clearly identify high-risk environments and data flows?
Yes. we have captured these information on our architecture and data flows diagram.
​
​
Copy link