Product Security at Vizrt

Vizrt takes security very seriously and aims to provide our customers and the industry at large with a secure product, solutions, and services to keep customer data and systems safe. At Vizrt, our product development mindset is continuous innovate and investigate all received vulnerability reports and implement the best course of action to protect our customers. Vizrt believes that working with skilled security researchers can identify weaknesses in any technology.

We have long been committed to the ongoing effort to continuously improve our processes and products to minimize product vulnerabilities and cyber threat exposures. To make our product development secured and robust against cyber threats thus requires an unwavering commitment to product security risk assessment, and adherence to industrially recognized security-based product development practices.

Vizrt product security processes are built on a strong foundation of industry standards, governance, and procedures that are aligned with global standards such as Motion Picture Association (MPA) content security best practice guidelines.

The Motion Picture Association (Hereinafter referred to as MPA) has been in existence for more than 30 years. Originally named after the Motion Picture Association of America (Hereinafter referred to as MPAA), Inc., the association changed its name in September 2019 to The Motion Picture Association, Inc. (MPA). MPA has established a set of best practice standards for the securely storing, processing, and delivering protected media and content. MPA best practices include Content Security Best Practices-Common Guidelines and Content Security Best Practices-Application and Cloud Distributed Environment Security Guidelines, which describe best practice control guidelines and implementation steps, considering relevant ISO standards, security standards, and industry best practices. The Application and Cloud Distributed Environment Security Guidelines consists of 2 modules, 6 security topics and 69 controls. Its reference standards include ISO 27001, ISO 27002, OWASP, CSA, PCI DSS, NIST 800-54 and SANS.

Governance, education, and training

  • Dedicated Product Security Office oversight (Corporate and business level)
  • Alignment to standards such as ISO 2700x and CSA, OWASP SAMM, OWASP Top 10 and NIST Framework
  • Segregation of duties
  • Least privileged access
  • Security certification and training for all employees
  • Specific training and certification for security architects and development engineers
  • Security champions embedded throughout the organization

Design and development

  • Industry accepted practices for security development lifecycle processes for all product development
  • Threat modeling and security risk assessment
  • Automated and manual code analysis and review
  • Third-party open-source code automated vulnerability assessment

Incident management

Vizrt addresses product security as an integral part of our quality process. Established incident management and communication plan to help steer the responsiveness during and after a cyber incident. Assigned responsibilities and established procedures ensure an adequate response to suspected security events and incidents. Each suspected security event is assessed against a set of criteria to determine whether it qualifies as a security incident. When security incidents occur, immediate and appropriate mitigation measures are taken.

Potential product security vulnerabilities are identified and remediate. Lessons-learned activities are conducted periodically, and additionally after major incidents, to improve product security measures in general and the incident handling.

Coordinated Vulnerability Disclosure

Vizrt Product Security is committed to ensuring the safety and security of the products we develop and provide to our esteem customers. Vizrt welcomes the invaluable contributions offered by security researchers and by our customers. The Coordinated Vizrt Product Security Vulnerability Disclosure (CVD) policy is designed to ensure a responsible and streamlined process for reporting and handling product security vulnerabilities.

Disclaimer

This information is provided by Vizrt Product Security for informational purposes only. It is driven by a risk-based approach towards product development practices at Vizrt. These are subject to change without notice.

Customers are responsible for making their own independent assessment of Vizrt products or services and the use thereof. This information is provided “as is” without warranty of any kind, whether express or implied. This information does not create any warranties, representations, contractual commitments, conditions, or assurances from Vizrt, vendors, or partners. The responsibilities and liabilities of Vizrt and its customers are defined in the agreements between Vizrt and its customers. This information is not part of, nor does it modify, any agreement between Vizrt and its customers.