dci-security-hero

Progress DataDirect Security Measures

Common Security Concerns

These days it’s common to learn of a new security incident or malicious attack on a software company and the impact on their customers. These threats are expensive both from a compliance perspective, such as the stringent GDPR out of the EU, but also to customer goodwill and brand reputation. An incident of this magnitude may severely impact the public’s trust. So much so, that this impact can be felt for years. The risk is not just to a business, such a lapse may personally affect the CIOs and CSOs as well, potentially casting a shadow over a career or professional reputation.

More often than not, organizations not only have to worry about their own software, but they will need to worry about the security position of third-party vendors when processes and policies may be unsatisfactory or opaque. When a CIO and CSO can trust the security practices and policies of the vendors’ products that the organization embeds into their products/tools.In that case, it will allow them to better focus on their core business. To enable that trust, a vendor’s security policies and practices should revolve around transparency, proactivity and responsiveness.

Progress DataDirect: Your Security Matters

Progress DataDirect emphasizes transparency, proactivity and responsiveness in our security policies and practice to ensure that:

  • Your organization’s security team can easily understand the complete security profile of our products, including external dependencies.
  • Product release practices incorporate testing and certification to ensure no product is released with a known serious vulnerability.
  • SLAs to resolve any vulnerability found in due course.

Transparency And Communication Is Key

  • Your organization can check the below information about any product build that you plan to adopt in a comprehensive statement-of-quality. This provides information regarding:
    • What external or third party dependencies are used in the product, along with their versions and any known security vulnerabilities and the severity and the licensing of these external (third party) components.
    • This report also shows the external dependencies of the external components (third party to third party) embedded in our products and any known security vulnerabilities in those transitive dependencies.
    • If there is a CWE open with the external or third party components which is not affecting our product, the details on which of these CWEs are not.
    • The results of static code scanning of the product code and the result of these security scans. These include found flaws, mitigated flaws, and any detailed mitigation comments which explain why certain flaws do not affect our products.
  • Progress DataDirect follows a strict Security Release Policy of not releasing any product with well-known security vulnerabilities as measured by multiple third parties. To achieve this, we regularly scan our product codes with market standard tools like Veracode. We also make sure the coding practices stay secure by code scanning through SonarLint and SonarQube.
  • To keep the product security standards, Progress DataDirect also goes through external security standards compliance audits like SAMM (Software Assurance Maturity Model) Compliance and SOC2 (System and Organization Controls) Compliance. These compliance audits make sure that our internal security practices stay robust and trustworthy.
  • Vulnerabilities will always be discovered over time with any software. To mitigate the risk of exposure and impact of these vulnerabilities to customers, Progress DataDirect has a Third-Party upgrade Policy which provides a timebound commitment to address vulnerabilities with an SLO appropriate to the severity of exposure.

Security Vulnerability Response Policy

Upon identification of any security vulnerability, Progress DataDirect will exercise commercially reasonable efforts to address the vulnerability in accordance with the following policy:

Priority* Time Guideline Version(s)
High Risk
(CVSS 8+ or industry equivalent)
30 days Active (i.e. latest shipping version) and all Supported versions
Medium Risk
(CVSS 5-to-8 or industry equivalent)
180 days Active (i.e. latest shipping version)
Low Risk
(CVSS 0-to-5 or industry equivalent)
Next major release or best effort Active (i.e. latest shipping version)

* Priority is established based on the current version of the Common Vulnerability Scoring System (CVSS), an open industry standard for assessing the severity of computer system security vulnerabilities. For additional information on this scoring system, refer to https://en.wikipedia.org/wiki/CVSS.