Security audits

Incident management, reporting, and response

Incident response is a key aspect of Pismo’s overall security and privacy program. We have a rigorous process for managing data incidents. This process specifies actions, escalations, mitigation, resolution, and notification of any potential incidents impacting the confidentiality, integrity, or availability of customer data.

Pismo uses a security information and event management (SIEM) tool. Additionally, Pismo developed its incident management process based on ATT&CK framework. This framework is the most suitable for our operating model and allows Pismo defenders to assess whether they can defend against specific Advanced Persistent Threats (APT) and common behaviors across multiple threat actors.

Inspection rights

Upon customer request, we can make available all such information necessary to demonstrate compliance with the obligations laid down in the contract and Data Protection Laws and allow for and contribute to audits, including inspections conducted by the Customer for the purpose of verifying the platform's compliance, subject to the persons performing such audit being obliged to sign a non-disclosure agreement with us. We always require reasonable notice to be given for all audits.

Security testing

Security penetration testing

Pismo’s vulnerability assessment program is one source of input for our vulnerability management program. We periodically perform regular tests across all applications, including APIs and web portals—using industry-standard methodologies such as OWASP and NIST.

This practice aims to identify vulnerabilities mapping our attacking surface, besides supporting risk rating assessments and prioritizations.

The vulnerability assessments occur in the final stage of the development life cycle. Unlike static analysis, it is manually done by our analysts who put effort into finding business logic flaws and other vulnerabilities that may bypass previous automated controls.

Pismo performs internal and external penetration tests at least twice a year, one conducted by our internal Red Team and the second by an external company specialized in the activity.

Gap analysis of annual compliance

Upon request, Pismo accommodates gap analysis with our customers to ensure compliance against their information security policies.

Risk controls self-assessment program

To address risk controls self-assessment (RCSA), Pismo applies a DevSecOps approach early in the development life cycle. Security checks are applied into our development pipelines to guarantee that every new or modified code is inspected before being moved to production environment. This includes a secure SDLC and thread modeling during the design phase, secure coding practices, code authentication and repository access control during development, IAST/SAST during build, IAST/DAST/Pentests during testing and monitoring through the deploy and operate phases. We use tools for ensuring code quality and test coverage, along with detecting some security issues.

Content security policy

Pismo’s content security policy (CSP) includes encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt data on the DB instances. After data is encrypted, Pismo handles authentication of access and decryption of data transparently with a minimal impact on performance. Beyond data, all logs, backups, and snapshots are encrypted.

Pismo uses Key Management Service (KMS) to generate and manage cryptographic keys and operates as a cryptographic service provider for protecting data.

For data in-transit, Pismo has in place OpenID Connect for Servers as the preferred way to authenticate with the Pismo platform. It provides greater security guarantees in service communications than basic authentication with client credentials. JSON Web Tokens (JWTs) are a critical part of connecting with OpenID. The Generating a JWT section of the Authentication with OpenID Connect guide explains how to generate and sign a JWT. Clients can use a mutual TLS (mTLS) structure available at Pismo platform to authentication.

Vulnerability and incident management

Vulnerability assessment and management

Pismo’s comprehensive vulnerability assessment program plays a vital role in strengthening our overall vulnerability management strategy. Pismo conducts regular, in-depth security evaluations across all applications—including APIs and web portals—using industry-standard methodologies such as OWASP and NIST. This proactive approach aims to identify, assess, and mitigate potential security risks before they can be exploited.

The vulnerability assessments occur in the final stage of the development life cycle. Unlike static analysis, these assessments are performed manually by our analysts, who put effort into finding business logic flaws and other vulnerabilities that may bypass previous automated controls.

Pismo’s vulnerability management program is a proactive security initiative designed to prevent the exploitation of IT vulnerabilities. It helps reduce the time and cost associated with identifying and addressing potential threats.

Security incident and log management

Pismo has Information Security policies and guidelines in place for stringent data security measures. Pismo’s SOC is in charge of threat monitoring and incident response. The SOC operates with our SIEM solution for log aggregation and retention. There are playbooks in place for incident response.

Pismo has a security log management process to monitor the environment's health and maintain logging mechanisms to track user activities.

Threat and vulnerability risk assessment

For threat and vulnerability risk assessment (TVRA), Pismo follows COSO-ERM methodology that analyzes assets, the likelihood of the threat, vulnerabilities, and its defined as a risk score. A risk management policy is in place and every quarter a Risk Committee discusses risks with the board and takes action against these risks.

Application penetration testing

Pismo performs internal and external penetration tests (TVM013) at least twice a year, one conducted by our internal Red Team and the second by an external company specialized in penetration testing.