How Wiz Meets CISA “Secure by Design” Objectives

An update on our commitments to customer security.

5 minutes read

When the Cybersecurity and Infrastructure Security Agency (CISA) sought founding participants in their Secure by Design initiative, Wiz was honored to support it as an inaugural member. At just 4 years old, we benefit from a lack of technical debt and a dynamic culture that is underpinned by the belief that security and innovation should scale together.

As Wiz’s CISO, Ryan Kazanciyan, said in his statement of support, "Wiz is based on the belief that building fast cannot be at the expense of building securely. The customers we all serve should expect nothing less. Wiz looks forward to continuing to help our partners at CISA and beyond raise the bar and expectations when it comes to secure by design.”

In honor of cybersecurity awareness month, we wanted to share an update on how we are progressing against the commitments put forth in the Secure by Design Pledge. Sharing these efforts is just another way we hope to expand this conversation—and ultimately create a broader ecosystem that is not only secure by design, but Secure by Default and Demand.

Authentication

Pledge Commitment: The product should support secure authentication.

Wiz provides transparency over the cloud-native permissions that each product component requires in order to work with customer environments. Product documentation includes detailed explanations for each permission and why it is required. Wiz Developers and Product Security team members ensure that requested permissions use the least privileges required to fulfill each product feature.

Wiz supports integrating any SAML 2.0 compliant SSO application (such as Okta, Microsoft Entra ID, and Google Workspace) for customers to access their Wiz tenants. This is provided for all Wiz customers at no additional cost, and is not limited to particular product licenses or tiers.

Although most customers integrate with their SSO to manage their users’ access to Wiz, we also enforce mandatory multi-factor authentication for all Wiz customers that choose to permit direct authentication.

Wiz does not use any default passwords for any user or service access to its products. All credentials are unique and provisioned through secured flows.

For customers that need to connect third-party products to their instance of Wiz or to build custom integrations that use the Wiz API, Wiz provides the ability to securely create and manage Service Accounts (SAs). Wiz adhered to secure design patterns to protect SA credentials, including the use of a per-request API token flow with short-lived tokens, and the ability to enforce granular permissions and custom expiry dates for custom integration SAs.

Wiz provides customers with the ability to enforce additional defense-in-depth mechanisms for authentication security, including enabling domain and IPs restrictions for logins, and independently configurable session lifespan and inactivity timeout settings.

Eliminating Classes of Vulnerability

Pledge Commitment: The software manufacturer should systematically address entire classes of software defects across its products.

Wiz products are built using memory-safe languages. The Wiz back-end is implemented in Go, and the Wiz runtime sensor is implemented in Rust. This limits the product’s susceptibility to vulnerabilities such as buffer overflows.

All web-based or programmatic interaction with the Wiz SaaS platform occurs through an authenticated GraphQL endpoint. The GraphQL API is strongly typed and enforces schema and input validation prior to all code handling. The endpoint only accepts POST requests, and each request must include a signed cookie that is bound to the user for which it was generated. Wiz additionally uses front-end frameworks that provide built-in protection against cross-site scripting and similar classes of web application vulnerabilities.

As part of Wiz’s internal incident response processes, any time a significant vulnerability is identified in a Wiz product component or the infrastructure and services that support it, Wiz’s security team conducts a root cause analysis, defines preventative tasks to reduce or eliminate the likelihood of similar incidents in the future, and collaborates with Wiz Engineering teams to implement these improvements. Incidents are reviewed by security and product leadership on at least a quarterly basis to sustain these processes and identify trends.

Evidence of Intrusions

Pledge Commitment: Software manufacturers should make available security logs to customers in the baseline version of the product.

Wiz provides all customers with access to audit logs that record detailed, security-relevant events related to their instance of the product, at no additional cost. These logs are retained and accessible within customers’ Wiz portal for 180 days, and can be sent to a SIEM or data warehouse for longer-term retention.

In order to foster transparency and effective collaboration, Wiz provides customers with a documented Shared Responsibility Model that delineates Wiz and customer-managed responsibilities for logging, monitoring, incident response, and other security functions.

Software Supply Chain Security

Pledge Commitment: The software manufacturer should maintain and share provenance data of third-party dependencies and have processes to govern its use of, and contributions to, open source software components.

Wiz vets the security of the third-party and open-source components it uses within its products through a combination of technical and process controls. This includes:

  • Automated scanning across source control repositories, within the CI/CD pipeline, and in production environments to identify software components that may be vulnerable, end-of-life, or are otherwise unauthorized.

  • A third-party risk management program that continuously assesses products and technologies used in support of Wiz products and business operations based on their risk categorization.

  • Policies, procedures, and training to inform developers of the approved processes for utilizing third-party and open-source software components

  • Additional governance and review mechanisms implemented by Wiz legal and security teams

Wiz further provides customers with in-product SBOM Inventory features that track all software components - with details such as OS packages, code libraries, package managers, licensing, etc. - and the resources on which they were identified across all a customer’s connected cloud environments.

Vulnerability Disclosure and Reporting

Pledge Commitment: The software manufacturer should demonstrate transparency and timeliness in vulnerability reporting for both on-premises and cloud products.

As a SaaS-only product, Wiz maintains a vulnerability management policy that defines SLAs and response processes for the types of vulnerabilities in its platform that may impact customers. Wiz contractually commits to these SLAs in its customer agreements, and undergoes third-party and internal audits to ensure that its security operations programs are adhering to these processes and timelines. As noted earlier, Wiz also provides customers with a Shared Responsibility Model that defines Wiz and customer-owned obligations for vulnerability management, depending on the product deployment options and features in use.

Wiz maintains a Trust Center portal for its customers that provides self-service access to policies, procedures, security notifications, and third-party assessment reports (such as security program audits, penetration tests, and related artifacts). Wiz additionally maintains an external bug bounty program that allows any researcher to responsibility disclose vulnerabilities, and defines the scope of sites and types of issues that are eligible and ineligible for bounty rewards. Finally, Wiz provides customers with details on patched vulnerabilities as a regular part of its release notes.

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management