In this world of ever-escalating cybersecurity threats and risk, we at Brainwave GRC take the protection and security of your data very seriously.
We enforce the highest security standards for our software products, including during the software development lifecycle, and have adopted a full transparency policy with our customers regarding all aspects of our software security policies.
The most significant aspects of the security controls and measures we have put in place are highlighted below.
Continual Security Testing
Modern development practices such as DevOps feature a continuous development pipeline (CI/CD) which automates continuous software builds as well as several non-regression and integrity tests.
Brainwave GRC deploys a state-of-the-art DevSecOps pipeline which puts security at the heart of the process and notably includes the following steps.
The results of these security tests are made available to our customers under non-disclosure agreements.
Continuous Static Code Auditing
As part of the build process, the source code is scanned and an automated report is sent back to the development team listing unsecure coding practices. If the number exceeds a predefined threshold, the build process may be cancelled.
Third-party code libraries are inventoried and checked against known Common Vulnerabilities and Exposure (CVE) lists. These CVEs are reviewed by our security architect who determines their impact with regards to the security posture of the software and makes the required remediation decisions. The software release notes include the Software Bill of Material (SBOM) together with a list of existing known CVEs and the recommended compensating controls.
Dynamic Application Security Testing
At the end of the build and release process, trusted providers perform penetration tests of our software platform and its APIs against well-known vulnerabilities such as broken access control, CRSF, XSS, SQL injection, etc. Additionally, they assess the effective impact of known CVEs in third-party libraries as well as potential weaknesses detected during static code audits. Finally, our automated, non-regression and dynamic application testing capabilities embedded in the CI/CD pipeline are currently being expanded.
Software Release Process and Maintenance
Executable software components are digitally signed to ensure their integrity. SHA-256 checksums are calculated for each shipped package and published on our download website. The packages are scanned to ensure they are free from known viruses or malware.
After shipping, the maintenance process will address bugs as well as security fixes. The maintenance team oversees the security watch for third-party components, alerts customers and recommends compensating controls in case of an emerging CVE that would affect the product.
Securing the Organization
Brainwave GRC uses dedicated technologies and strict internal processes in order to maintain a high degree of security of its organization. The following measures are currently in place:
Users are centrally managed and Multi-Factor Authentication (MFA) is enforced across all business applications, data management and remote access (VPN) systems. End-user devices are also centrally managed with mandatory security policies that users cannot override.
Frequent user access reviews are performed using our own Brainwave Identity Analytics software to enforce the principles of least privilege and segregation of duties principles.
Our core security functions (firewalls, intrusion detection probes, etc.) are managed by a certified Managed Security Service Provider (MSSP).
We enforce a strict patch management process for our internal systems. This includes constant security surveillance as well as scheduled and exceptional patching operations according to the risk assessment.
Our internal systems and applications logs are stored in a Security Information and Event Management (SIEM) system and are monitored by our internal security team. The SIEM team also uses alerts to handle incident management.
The global Brainwave GRC team is required to undergo yearly security training and assessments (including phishing simulations).