With security and compliance becoming major concern for all the organizations, Chakravuyha's software security initiative(SSI), the PSO (Product Security Office), came up with a set of product security programs to ensure that all Chakravuyha products are built with security in mind.
We apply best practices at every stage of the product development lifecycle as well as in the post-release response process.
Security Gap Analysis
This is the basic security program which is integrated within the software development life cycle at Chakravuyha. This program covers the basic architecture review with attacker point of view and basic penetration testing that focusses on OWASP Top 10 vulnerabilities and which is executed with an attacker mindset. A report is shared to all the customers with the complete security posture as found by the internal product security office of Chakravuyha.
Security Program Adoption
This is a sophisticated program offered to the Chakravuyha customers as a paid program. This program covers the products that are owned and released by Chakravuyha and as well as an On-Demand service for the products that are owned and managed by the Charkravuyha customers. As part of this paid program, the Chakravuyha's PSO work with the customers on a monthly basis or quarterly or half yearly or even on a yearly subscriptions. This program covers a threat modelling activity of the product in scope , manual code review of the product in scope and a manual penetration testing of the product in scope. This program uses a few commercial tools that the PSO purchased as well as few internal developed tools.
A detailed report on the findings will be shared to the customers with details of the expected remediation as well. PSO will adopt Secure Development Lifecycle within the program and ensure customers have a security program within their software development lifecycle and ensure early feedback on the security is provided on a timely basis.
The Security Plus program, which is created as part of a software security initiative, covers the following three major activities.
Incident Handling involves the service that the PSO provides after the Charkravuyha products get released. This part of the program covers a quick response from the PSO with respect to any known vulnerabilities identified publicly or by any of the customers. A quick resolution will be in place depending on the severity of the security defect and the impact for the customers. A newsletter or a monthly report which also includes basic security trainings as well as happenings within the security community will be shared to the customers as part of this engagement.
Continuous Monitoring is a service that ensures the network or the product which is deployed, is monitored 24x7 to ensure there are no attacks initiated. This is a service that is at a basic level at this moment is expected to evolve in the next couple of months as the team plan to integrate few commercial tools as well. Security maintenance covers all the software components within the chakravuyha products like third party libraries and other open source / components used during the product development. This service ensure all the above said files or components are tracked for known vulnerabilities and this service ensure proper and timely communication to customers in case of publicly disclosed vulnerabilities or in case of any identified impact for the customers.
Security Audit & Compliance
At this moment, the PSO supports FIPS 140-2 , SOC2 compliance levels. Customers can feel free to reach out to us, in case you want us to pursue and help you out for other compliances as well. We will ensure best efforts are in place to achieve the compliances as well as to meet security regulations.
PSO always spends time and resources on new initiatives with focus on security so as the customers would be benefited at the maximum. As part of this initiative, PSO have a few ideas where basic security aspects can be run in an automated fashion within the customer environment. This sharing of knowledge as well as sharing of resources is done continously as Chakravuyha as a company treat its customers with respect and prioritizes their security needs.
*There is a partial paid service within this plan which involves manual efforts of PSO to evaluate the customer needs and efforts to work on their proposed solutions which the customers agree upon.