Secure development controls

Security teams

The core of Dynatrace security is comprised of three dedicated teams. Members from these three teams, along with dedicated members from the Product Management and Product Architecture team form the global security team.

The global security team is responsible for steering security efforts as well as security training and awareness programs for the entire Dynatrace organization.

Global security team

Overview of secure development controls

This is an overview of all security controls that are included in the Dynatrace SDL (Security Development Lifecycle). The following sections provide more detail about these controls and practices, which are enforced by Dynatrace across all business-critical product components.

Secure development controls

For more information about how Dynatrace secures customer data in production, see data security controls.

Threat modeling

Security-critical application components require a threat model in the design phase . This threat model is created by product and security architects .

Threat modeling

Evaluation of external services and libraries

Security audits are performed on all external third-party vendors and services before they're put to use by the security teams. All third-party libraries are evaluated for quality, performance, licensing, and vulnerabilities and require approval before being used.

Evaluating external services and libraries

Code reviews

Every code change is approved by a peer developer. Changes made to security-critical areas of the product have to be additionally approved by security personnel.

Changes made to the main code line require a pull request that passes through numerous automated tests, including a selected set of static code-analysis security tests .

Code reviews

Static code analysis

Static code analysis and static application security testing (SAST) is performed daily. Rules and plugins are actively maintained by the Dynatrace code quality team that's comprised of software engineers and security experts.

Plugins include pre-defined and self-developed detection rules for security vulnerabilities and bugs.

Static code analysis

Third-party library scans

Third-party libraries are centrally managed with a software composition analysis tool (SCA). Daily scans are performed, security vulnerabilities and license risks are detected, and remediation tickets are created.

Third-party scans

Automated security tests

Individual development teams implement automated security tests in the form of unit tests, integration tests or UI tests which are executed automatically as part of the CI/CD pipeline.

Security tests

Code signing

Installer packages are automatically signed in the build pipeline using code signing certificates. Windows installers are signed with EV (extended validation) code-signing certificates.

Also, signature verification is performed automatically during installation and updates.

Code signing

Penetration tests

Dynatrace has a dedicated team of certified penetration testers who regularly test new and existing features using state-of-the-art penetration-testing tools.

Penetration testing

Intrusion detection and incident response

All critical systems are monitored by Dynatrace and intrusion-detection systems. Critical events trigger an incident response process .

Intrusion detection and incident response

Web-application scans

Weekly web-application vulnerability scans are performed as dynamic application security tests (DAST).

Web scans

Vulnerability scans

All public-facing and critical internal systems are scanned weekly using vulnerability-scanning tools.

Vulnerability scan

Cloud security scans

All critical cloud accounts are regularly checked for security misconfigurations and non-compliant settings.

Cloud scans

External penetration testing

Annually, an extensive penetration test of all Dynatrace SaaS/Managed product components is performed by an independent security firm. Additional external penetration tests are scheduled on demand, the results of which are shared with our customers under an NDA.

External penetration testing

Bug bounty program

Dynatrace runs a private bug bounty program on HackerOne.

Bug bounty program

Vulnerability tracking and KPIs

All security issues and vulnerabilities are tracked in a central ticketing system, which is also used for all other work-related tasks by other teams. All vulnerabilities are categorized and rated using CVSS by the security teams. Remediation timelines for each vulnerability severity are defined and continuously monitored.

Central security dashboards and quarterly reports are made available to all teams. For identified hotspots, improvements are planned and implemented.

Vulnerability tracking and KPIs

Security training and on-boarding programs

All Dynatrace employees are expected to attend and successfully complete annual security awareness programs, which cover our corporate and product security policies.

For new employees, the annual security awareness program, as well as additional product security training, are part of the on-boarding program.

Security training