Security Commitments

Black Duck has defined and published a set of information security policies which is:

• Based on ISO 27001, ISO 27002, NIST SP 800-53, and NIST CSF
• Approved by management
• Communicated to all employees and relevant external parties
• Reviewed annually by stakeholders

Black Duck regularly performs a variety of security assessments on both the application level as well as the environments that host our applications. These include:

• Product-on-product (PoP) testing—each release of a product is scanned for security vulnerabilities using Black Duck products, including Black Duck SCA and Coverity Static Analysis.
• In-depth internal security assessments—for major new features, we include a combination of penetration tests, code reviews, and architectural risk assessments.
• Threat modeling—for major new releases, Black Duck creates and/or updates threat models that provide a baseline for other security testing activities.

• Our SaaS offerings utilize industry leading cloud services providers including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), which are known for their security and protections.
• In addition to the security provided by our cloud service providers (CSP), Black Duck uses real-time monitoring tools for cloud configuration and container integrity, a web application firewall, and other security controls.

Please see our Privacy at Black Duck page here containing our Data Privacy and Protection Statement and our Website Privacy Policy.

• Black Duck has established policy, process, and procedure to ensure a quick, effective, and orderly response to information security incidents.
• The Information Security Incident Management Standard and Incident Response Plan are reviewed, tested, and updated (as appropriate) at a minimum, annually.
• Black Duck will notify customers consistent with the Data Privacy and Protection Statement referenced by our Privacy Policy.

• Black Duck has deployed IDS/IPS, WAFs, Firewalls, and related technologies to protect against external threats.
• Network environments are physically and logically segregated; customer data are logically segregated.
• Security alerts are monitored 24x7 by a dedicated security team with a 5-min SLA for initial triage of critical alerts.
• Vulnerability scans are performed daily.

• All customer data are encrypted in transit and at rest. Beyond mass storage encryption sensitive data is also secured using application layer encryption.
• All traffic is encrypted in transit by default via HTTPS/TLS (Transport Layer Security) 1.2 or better.
• All persistent data are encrypted at rest in the CSPs using AES 256-bit encryption or better.

• High availability is achieved using the native cloud orchestration capabilities of AWS and GCP.
• Customer data are backed up daily with a 7-day retention policy.
• If individual VM containers fail within a CSP availability zone, they will recover automatically due to the cloud-native architecture. If there is an outage for a complete CSP availability zone or region, there is a process that will create a new instance in a different availability zone or region. This process is manual and takes 15-30 minutes, excluding the time to load the new customer database with a copy of the backup.
• In general, across all types of disaster situations, including failures beyond core infrastructure, SIG’s recover time objective (RTO) is one (1) business day and the recovery point objective (RPO) is 24 hours.

• Only the customer has access to their own data. If SIG employees need access to customer data for troubleshooting or support purposes, customer permission is required to grant access.
• Multi-factor authentication (MFA) capability is provided to customers for accessing SIG applications.

User and system administrator activities are logged and:

• Routed to a centralized SIEM for monitoring, analysis, and alerting
• Protected from tampering
• Retained for at least one year

• Changes to the organization, business processes, cloud infrastructure, and systems affecting information security are performed per a defined change management policy, process, and procedure.
• All changes are logged via a ticketing system, and approvals are required and tracked. 
• The technical review includes a risk assessment and all other technical aspects of the change.