Data Security with DataDirect: SOC2, VeraCode, Fuzz Testing & More

Data Security with DataDirect: SOC2, VeraCode, Fuzz Testing & More

March 09, 2018 0 Comments
Data Security with DataDirect SOC2, VeraCode, Fuzz Testing & More_870_450
Our recent webinar, Enterprise Security in Data Access, gives a detailed look at security options and implementations in the data access landscape. Security is of particular interest to those using hybrid environments where data and/or applications reside in a combination of cloud and on-premises locations.

Security in Data Connectivity

As the premier data connectivity vendor for enterprises, we often field questions on designing a plan for data security. Because thousands of corporations and software vendors use our DataDirect connectivity solutions, we also get many questions about how we design, implement and test security in our development environment.

For more on this topic, let’s meet Jim Silhavy. Jim manages ODBC and JDBC driver development at Progress and previously was a JDBC driver and ADO.NET provider developer. Jim holds two patents related to making single sign-on authenticated database connections from a database driver.  

Let’s discuss some frequently asked questions that Jim addressed on our recent webinar.

DataDirect Enterprise Security

Interview with Jim Silhavy

Jim, with the ongoing rash of data breaches and data security topics in the news, implementing a crucial piece of connectivity must scare both corporate clients and software vendors. How do you get customers and prospects comfortable with the security of DataDirect products?

Jim Silhavy: Security is a differentiator for us, and we want to keep it that way. Our Service Organization Control (SOC2) certification attests to that. First, it gives our customers confidence by providing a transparent view into our organization. Data access is obviously a critical function. If it’s not done right, problems will find their way into our customer’s world.  Second, it helps our customers meet their vendor due diligence expectations. Most customers are regulated by someone, they can’t just do business with a vendor without questions being asked about their security. Another differentiator is our experience. We’ve been testing connectors for over two decades. During that time, we’ve created a security-minded development culture with a history of testing breadth that’s really unparalleled. I’d encourage folks to watch the webinar for details on the specifics of our testing environments.

What are the components of a comprehensive enterprise data security implementation?

Jim Silhavy: Here’s a pictorial representation of the complexity of data access security. At the top, you have applications that you’re building and managing. At the bottom, you have the goal: accessing data. Along the way are all the elements of data access security. As you can see, there are a substantial number of distributed technologies required. You must identify that the client is who or what they claim to be, noted in green. You must determine what data and actions are accessible to the client, noted in blue. You must secure the data as it moves by means of encryption, noted in purple. And you must monitor and/or trace access and movement as it occurs, noted in orange. Identifying and coordinating the use of these technologies in a manner that’s safe from security threats is, of course, the challenge that we all face. 

Enterprise Security Landscape

Is DataDirect compliant with U.S. government security requirements for software?

Jim Silhavy: We recently introduced FIPS 140-2 compliance, and features to support FedRAMP compliance (for example, account lockout policies) to our Hybrid Data Pipeline product. In addition, we are SOC2 certified. Our SOC2 certification was obtained from an independent auditor and attests to both our technical and operational maturity. The certification was not easy to do. It can be painful, but we put ourselves through that to demonstrate that we have internal controls in place to meet industry best practices.

Are there specific tools or processes that you recommend for ongoing security checks?

Jim Silhavy: VeraCode is a widely used and respected industry tool for finding vulnerabilities that can lead to cybersecurity breaches or hacking attempts. Static code analysis tools like Prefast are used to find serious defects (like crashes) and germane to our conversation, exploitable security holes caused by memory management, pointer management, initialization and boundary violations. Fuzz testing is an automated testing software technique that involves providing invalid, unexpected or random data as inputs to a computer program. At DataDirect we implement all of these tools and more. For example, we’ve developed a tool for internal use that scans memory during testing to ensure that passwords provided to our drivers do not exist in memory in cleartext format.

What happens when security breaches do happen, such as the recent Heartbleed, POODLE and FREAK breaches in the news?

Jim Silhavy: To satisfy the stringent requirements of our customer base, we’ve crafted a proactive Security Vulnerability Response Policy. For example, high risks are patched within 30 days for all supported versions. It’s another way we can boost our customers’ confidence in the data solutions we provide.

Security Vulnerability Response Policy


Jim, thanks so much for your time. For more comprehensive details on Enterprise Data Security and on our security approach for DataDirect, watch the full webinar.

View Webinar

SusanLamatrice

Susan Lamatrice

Susan Lamatrice is a Technical Marketing Manager with 20 years’ experience in the Data Connectivity field. Susan has experience in Pre-Sales and Post-Sales technical support, as well as training and Sales Enablement. Her work is focused on making technical information consumable and engaging for both technical and non-technical audiences.

Comments
Comments are disabled in preview mode.
Topics
 
 
Latest Stories in
Your Inbox
Subscribe
More From Progress
d12fcc0bdb669b804e7f71198c9619a7
5 Questions Automakers Should Ask to Improve Asset Uptime
Download Whitepaper
 
SF_MQ_WCM
2018 Gartner Magic Quadrant Web Content Management (WCM)
Download Whitepaper
 
What-Serverless-Means-For-Enterprice-Apps-Kinvey
What Serverless Means for Enterprise Apps
Watch Webinar