Secure development controls
Overview of secure development controls
This is an overview of all security controls that are included in the Dynatrace SDL (Security Development Lifecycle). The following sections provide more detail about these controls and practices, which are enforced by Dynatrace across all business-critical product components.
For more information about how Dynatrace secures customer data in production, see Data security controls.
Security-critical application components require a threat model in the design phase . This threat model is created by product and security architects .
Evaluation of external services and libraries
Security audits are performed on all external third-party vendors and services before they're put to use by the security teams. All third-party libraries are evaluated for quality, performance, licensing, and vulnerabilities and require approval before being used.
Every code change is approved by a peer developer. Changes made to security-critical areas of the product have to be additionally approved by security personnel.
Changes made to the main code line require a pull request that passes through numerous automated tests, including a selected set of static code-analysis security tests .
Static code analysis
Static code analysis and static application security testing (SAST) is performed daily. Rules and plugins are actively maintained by the Dynatrace code quality team that's comprised of software engineers and security experts.
Plugins include pre-defined and self-developed detection rules for security vulnerabilities and bugs.
Third-party library scans
Third-party libraries are centrally managed with a software composition analysis tool (SCA). Daily scans are performed, security vulnerabilities and license risks are detected, and remediation tickets are created.
Automated security tests
Individual development teams implement automated security tests in the form of unit tests, integration tests, or UI tests that are executed automatically as part of the CI/CD pipeline.
Installer packages are automatically signed in the build pipeline using code signing certificates. Windows installers are signed with EV (extended validation) code-signing certificates.
Also, signature verification is performed automatically during installation and updates.
Dynatrace has a dedicated team of certified penetration testers who regularly test new and existing features using state-of-the-art penetration-testing tools.
Intrusion detection and incident response
All critical systems are monitored by Dynatrace and intrusion-detection systems. Critical events trigger an incident response process .
Weekly web-application vulnerability scans are performed as dynamic application security tests (DAST).
All public-facing and critical internal systems are scanned weekly using vulnerability-scanning tools.
Cloud security scans
All critical cloud accounts are regularly checked for security misconfigurations and non-compliant settings.
External penetration testing
Annually, an extensive penetration test of all Dynatrace SaaS and Dynatrace Managed product components is performed by an independent security firm. Additional external penetration tests are scheduled on demand, the results of which are shared with our customers under an NDA.
Bug bounty program
Dynatrace runs a private bug bounty program on HackerOne.
Vulnerability tracking and KPIs
All security issues and vulnerabilities are tracked in a central ticketing system, which is also used for all other work-related tasks by other teams. All vulnerabilities are categorized and rated using CVSS by the security teams. Remediation timelines for each vulnerability severity are defined and continuously monitored.
Central security dashboards and quarterly reports are made available to all teams. For identified hotspots, improvements are planned and implemented.
Security training and on-boarding programs
All Dynatrace employees are expected to attend and successfully complete annual security awareness programs, which cover our corporate and product security policies.
For new employees, the annual security awareness program, as well as additional product security training, are part of the on-boarding program.