Progress DataDirect Security Profile
Transparency & Product Security Reports
Along with our corporate security measures, Progress DataDirect emphasizes transparency, proactivity, and responsiveness in our security policies and practices. To increase transparency, we have a comprehensive statement-of-quality report available for any product build that you plan to adopt. This report provides confidence to direct end users, and information that will accelerate the release process for ISVs. More specifically these reports include:
- A complete list of external or third-party dependencies (including transitive dependencies) used in the product, along with the license type (ie MIT, Apache, etc) and all known vulnerabilities found in the given version of the component utilized. The report also includes comments from our impact analysis of these CWEs.
- The results of static code scanning of the product code. These include found flaws, mitigated flaws, and any detailed mitigation comments which explain why certain flaws do not affect our products.
SAMM Compliance & Secure Development Lifecycle
Progress DataDirect utilizes industry standards like OWASP SAMM (Software Assurance Maturity Model) to regularly audit and emphasize a secure development lifecycle. These compliance audits make sure that our internal security practices stay robust and trustworthy.
While many aspects of the secure development lifecycle are internal, we are ultimately focused on our principles of providing transparency, trust, and secure products to our customers. Below are just a subset of examples of how we achieve this:
- A single software composition analysis (SCA) scan prior to the release of software is no longer sufficient. We have weekly SCA scans in place against our currently shipping products for early and automated detection of vulnerabilities in 3rd party components used in our products.
- The software supply chain has been a popular area for attacks. Our product security reports as well as the ability for ISVs to easily check the authenticity and integrity of our software packages with Digital signatures go a long way in securing the supply chain.
- We follow the best security guidelines by scanning our product codes with market standard tools like Veracode, SonarLint and SonarQube.
Progress DataDirect is SOC2 Compliant
Progress DataDirect SOC2 Certification.
SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The standard is based
on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy.
Progress DataDirect is ISO 20243 Certified
Progress DataDirect ISO 20243 Certification.
ISO/IEC 20243-1:2018 (O-TTPS) is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product
life cycle.
Security Vulnerability Response Policy
Upon identification of any security vulnerability, Progress DataDirect will exercise commercially reasonable efforts to address the vulnerability in accordance with the following policy:
| Priority* | Time Guideline | Version(s) |
|---|---|---|
| High Risk (CVSS 8+ or industry equivalent) | 30 days | Active (i.e. latest shipping version) and all Supported versions |
| Medium Risk (CVSS 5-to-8 or industry equivalent) | 180 days | Active (i.e. latest shipping version) |
| Low Risk (CVSS 0-to-5 or industry equivalent) | Next major release or best effort | Active (i.e. latest shipping version) |
* Priority is established based on the current version of the Common Vulnerability Scoring System (CVSS), an open industry standard for assessing the severity of computer system security vulnerabilities. For additional information on this scoring system, refer to https://en.wikipedia.org/wiki/CVSS.