Vulnerability and Threat Management

Do you have the capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems?

Yes, policies and procedures are established and mechanisms are implemented to detect, address, and stabilize vulnerabilities in a timeframe that matches the Security Patch Management Standards.

Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your systems?

Yes, Xoxoday's products are supported by leading anti-malware programs. These are connected with our cloud service offerings and are a part of all our systems.

Do you conduct local operating system-layer vulnerability scans regularly as prescribed by industry best practices?

Yes, we perform periodic scans of operating systems and databases along with server applications for vulnerability and configuration compliance. This is done by using suitable vulnerability management tools as per the industry standards.

Do you conduct network-layer vulnerability scans regularly as prescribed by industry best practices?

Yes, we ensure that there is no breach in network layers with vulnerability scans as per the industrial standards.

Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices?

Yes, to check the hygiene of application layer, our vulnerability scans are done as prescribed by the industrial standard.

Will you make the results of vulnerability scans available to tenants at their request?

Yes, tenants can request for vulnerability scan reports.

Do you have controls and processes in place to perform host/file integrity monitoring for all systems storing and transmitting sensitive data?

Yes, in order to detect any unauthorized changes in the data or system configuration, we have a procedure in place for host/file integrity monitoring.

Do you conduct daily vulnerability scans at the operating system layer?

No, our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the operating system layer.

Do you conduct daily vulnerability scans at the database layer?

No, our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the database layer.

Do you conduct daily vulnerability scans at the application layer?

No, our periodic vulnerability scans are conducted just the right number of times to ensure the prominence of security measures and protection of the application layer.

Do you have external third-party services conduct vulnerability scans and periodic penetration tests on your applications and networks?

Yes, vulnerability scans and penetration tests are conducted periodically by third parties and external services to test our security measures.

Whom do we contact if we identify a security issue or breach involving or impacting your product? Please provide an email address and/or full contact information?

Reach out to us at [email protected] to raise a ticket, if you happen to notice any potential security issue whilst meeting all the required criteria in our policy. The validation of the reported issue in terms of severity & authenticity will be done by our security team in around 90 days. Post validation, steps will be taken to fix the security issues in accordance with our security policies. The owner of the ticket will be informed once the issue is resolved.

More info below:

Questions
Answers
Do you conduct application and infrastructure penetration tests of your infrastructure regularly as prescribed by industry best practices and guidance?
Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a vulnerability assessment and penetration testing.
Are the results of the penetration tests available to customers at their request?
We have fixed all the issues identified during the VAPT Audit and rescanned it once again to make sure that all the vulnerabilities are remideiated. Post confirmation of these fixes we got the final VAPT Certificate for our product.
Do you have external third party services conduct vulnerability scans and periodic penetration tests on production and publicly facing applications, systems and infrastructure?
Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a vulnerability assessment and penetration testing.
What are your timelines for remediation on: Critical, High, Medium, and Low vulnerabilities?
60 days.
Do you conduct application and network-layer vulnerability scans regularly as prescribed by industry best practices? What tool? Frequency? Provide evidence.
We conduct the VA/PT on annual basis as per the compliance requirements. Manual and third party tools are used for this assessment.
Do you have a capability to patch vulnerabilities across all of your computing devices, applications, and systems?
Yes. We have the capabilities to patch the vulnerabilities.
Is VA / PT performed at regular intervals? If yes, what is the frequency
We conduct VAPT on annual basis.
How does vendor ensure Application Security for the customer services in Cloud?
we follow all the technical guidelines for development of our code and applications that come under the Open Web Application Security Project. And also we conduct VAPT Assessment for our application and remidiate the findings
How does vendor ensure Secure configurations of Operating System on cloud?
we perform periodic scans of operating systems and databases along with server applications for vulnerability and configuration compliance. This is done by using suitable vulnerability management tools as per the industry standards.
How does vendor ensure Secure configurations of Database on cloud?
our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the database layer.
Clearly defined responsibility for closure of observations as well as adherence to the customer remediation timeframes
We have implemented the Threat and Vulnerability Management procedures. We close the identified vulnerabilities or fixes the issues.
Is there a defined process set by function to review critical transactions
We conduct code reviews, VA-PT assessments, Log monitoring, Incident reportings etc and these controls are monitored and reviewed during the internal and external parties.
Is regular network vulnerability scanning performed?
Attached the latest VAPT Certificate.
Is application vulnerability scanning performed on regular intervals?
Attached the letest VAPT Certificate.
Regular appraisals of security controls as well as security hardening and patching of systems is performed.
Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a vulnerability assessment and penetration testing. Attached the Threat and Vulnerability Management and Patch Management Procedure.
Does the Company conduct technical security assessments (e.g. vulnerability, penetration tests) on its own IT environment?
We conduct the Vulnerability assessment and penetration testing for maximum security.
How often do you scan for vulnerabilities on your network and applications?
We conduct on yearly basis as per the compliance requirements.
What is your vulnerability remediation process?
Attached the Threat and Vulnerability Management Policy.
Are all 3rd Party Libraries regularly reviewed and checked for potential vulnerabilities?
Yes. As part of every build, the third-party libraries are scanned for security vulnerability.
Are mechanisms in place to ensure that all debugging and test code elements are removed from released software versions?
Our software will be free from all the vulnerabilities.
​
​