Brainwave GRC
Security First

In this world of ever-escalating cybersecurity threats and risk, we at Brainwave GRC take the protection and security of your data very seriously.

We enforce the highest security standards for our software products, including during the software development lifecycle, and have adopted a full transparency policy with our customers regarding all aspects of our software security policies.
The most significant aspects of the security controls and measures we have put in place are highlighted below.

Continual Security Testing
During Development

Modern development practices such as DevOps feature a continuous development pipeline (CI/CD) which automates continuous software builds as well as several non-regression and integrity tests.

Brainwave GRC deploys a state-of-the-art DevSecOps pipeline which puts security at the heart of the process and notably includes the following steps.

The results of these security tests are made available to our customers under non-disclosure agreements.

Continuous Static Code Auditing

As part of the build process, the source code is scanned and an automated report is sent back to the development team listing unsecure coding practices. If the number exceeds a predefined threshold, the build process may be cancelled.

Dependency Check

Third-party code libraries are inventoried and checked against known Common Vulnerabilities and Exposure (CVE) lists. These CVEs are reviewed by our security architect who determines their impact with regards to the security posture of the software and makes the required remediation decisions. The software release notes include the Software Bill of Material (SBOM) together with a list of existing known CVEs and the recommended compensating controls.

Dynamic Application Security Testing

At the end of the build and release process, trusted providers perform penetration tests of our software platform and its APIs against well-known vulnerabilities such as broken access control, CRSF, XSS, SQL injection, etc. Additionally, they assess the effective impact of known CVEs in third-party libraries as well as potential weaknesses detected during static code audits. Finally, our automated, non-regression and dynamic application testing capabilities embedded in the CI/CD pipeline are currently being expanded.

Software Release Process and Maintenance

Our software release process also includes several formal validation steps regarding the security and integrity of the software package.

  Executable software components are digitally signed to ensure their integrity. SHA-256 checksums are calculated for each shipped package and published on our download website. The packages are scanned to ensure they are free from known viruses or malware.

  Each major version of the product undergoes penetration testing. The presence of major or critical vulnerabilities in the product will interrupt the release process.

  After shipping, the maintenance process will address bugs as well as security fixes. The maintenance team oversees the security watch for third-party components, alerts customers and recommends compensating controls in case of an emerging CVE that would affect the product.

Securing the Organization

Brainwave GRC uses dedicated technologies and strict internal processes in order to maintain a high degree of security of its organization. The following measures are currently in place:

 Users are centrally managed and Multi-Factor Authentication (MFA) is enforced across all business applications, data management and remote access (VPN) systems. End-user devices are also centrally managed with mandatory security policies that users cannot override.

Frequent user access reviews are performed using our own Brainwave Identity Analytics software to enforce the principles of least privilege and segregation of duties principles.

Our core security functions (firewalls, intrusion detection probes, etc.) are managed by a certified Managed Security Service Provider (MSSP).

We enforce a strict patch management process for our internal systems. This includes constant security surveillance as well as scheduled and exceptional patching operations according to the risk assessment.

Our internal systems and applications logs are stored in a Security Information and Event Management (SIEM) system and are monitored by our internal security team. The SIEM team also uses alerts to handle incident management.

The global Brainwave GRC team is required to undergo yearly security training and assessments (including phishing simulations).

Our customers have confidence in our ability to protect their data and themselves from cyber threats. You can, too.