Progress DataDirect Security Profile 

Transparency & Product Security Reports

Along with our corporate security measures, Progress DataDirect emphasizes transparency, proactivity, and responsiveness in our security policies and practices. To increase transparency, we have a comprehensive statement-of-quality report available for any product build that you plan to adopt. This report provides confidence to direct end users, and information that will accelerate the release process for ISVs.  More specifically these reports include:

• A complete list of external or third-party dependencies (including transitive dependencies) used in the product, along with the license type (ie MIT, Apache, etc) and all known vulnerabilities found in the given version of the component utilized. The report also includes comments from our impact analysis of these CWEs.
• The results of static code scanning of the product code. These include found flaws, mitigated flaws, and any detailed mitigation comments which explain why certain flaws do not affect our products.

SAMM Compliance & Secure Development Lifecycle 

Progress DataDirect utilizes industry standards like OWASP SAMM (Software Assurance Maturity Model) to regularly audit and emphasize a secure development lifecycle. These compliance audits make sure that our internal security practices stay robust and trustworthy. 

While many aspects of the secure development lifecycle are internal, we are ultimately focused on our principles of providing transparency, trust, and secure products to our customers.  Below are just a subset of examples of how we achieve this:

• A single software composition analysis (SCA) scan prior to the release of software is no longer sufficient.  We have weekly SCA scans in place against our currently shipping products for early and automated detection of vulnerabilities in 3rd party components used in our products. 
• The software supply chain has been a popular area for attacks.  Our product security reports as well as the ability for ISVs to easily check the authenticity and integrity of our software packages with Digital signatures go a long way in securing the supply chain.
• We follow the best security guidelines by scanning our product codes with market standard tools like Veracode, SonarLint and SonarQube.

Progress DataDirect is SOC2 Compliant

Progress DataDirect SOC2 Certification.
SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy.

Progress DataDirect is ISO 20243 Certified

Progress DataDirect ISO 20243 Certification.
ISO/IEC 20243-1:2018 (O-TTPS) is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle.

DataDirect Security Guidelines