Company Name: Wiza, Inc.
Description of services offered: Sales engagement and lead generation software as a service.
Address: 2035 Sunset Lake Road, Newark, DE, 19702
Customer Data and Source Code Backup Process
Customer Data Encryption at Rest: Yes
Customer Backup Encryption: Yes
Frequency of Customer Backups: Daily and automatic
Frequency of Source Code Backups: When changes are made using a versioning tool (ex. GitHub, Bitbucket)
Multi-Factor Authentication: Yes, Wiza requires all employees to utilize Multi-Factor Authentication on any work-related applications.
New System Deployment Process
Changing Default Passwords: Yes, on all systems
Disabling Default passwords: Yes, on all systems
System Image Hardening: Database/Redis servers are managed and patched by AWS and external inbound traffic is completely blocked. The main app server runs on CapRover and is regularly updated, server is accessible by passwordless public-private key login, and inbound ports (80,443,22). Critical admin panels are hidden behind multi-level subdomains.
Software Development Lifecycle
Open Web Application Security Project (OWASP) Top 10 Training: Yes
Definition of Testing Processes: Yes, we run both Detectify and custom security unit tests after each release to scan for new vulnerabilities.
Source Approval Process: Yes, merges require at least 1 review and approval by a Senior Engineer. It goes though CI and if it passes, it merges into production and is deployed via CapRover.
Separation of Duties: Yes
Network Segmentation: Yes, network filtering (firewall or VLAN using NIST 800-125B)
DNS Filtering: Yes, we use a combination of Cloudflare Gateway for DNS level filtering and Kaspersky's Web Traffic Security for malicious URL filtering.
Vulnerability Disclosure Program
API Access Tokens
API Token Storage: Stored encrypted, with encryption keys store in a secure key store.
Server Configuration Deployment: Configurations are made manually. There is currently one app server. Database/Redis are managed by AWS.
Frequency of Port Scans: After any deployment
Data Loss Prevention
Data Loss Prevention Policy: Yes, we use a combination of Digital Guardian and G-Suite rules to prevent the unauthorized distribution of sensitive data.
Wiza conducts an annual third-party annual security assessment which includes: Application Penetration testing, External Penetration testing, and Cloud Security Review.
Below you'll find an overview of tests that are completed on an annual basis by Bishop Fox, which is the largest private professional services firm focused on offensive security testing.