Anthology has a robust security program that is designed to not only prevent security issues from appearing, but also to root them out. Anthology performs internal security testing at the code-level (static analysis) and application-level (dynamic analysis) for selected products in support of our compliance objectives. Furthermore, to regularly get fresh eyes on our applications, Anthology obtains security penetration testing from third-party security vendors. Any identified issues are risk-assessed and prioritized for repair.
Anthology's security program is a growing and maturing practice. We are committed to continuous improvement and to pushing the bar on security features and robustness in Anthology products.
Built with security in mind
Anthology is committed to providing our clients with secure applications. Anthology develops our products according to a set of security engineering guidelines derived from many organizations such as the Open Web Application Security Project (OWASP), including specific countermeasures for OWASP Top Ten vulnerabilities. Anthology incorporates these security practices in all phases of the software development lifecycle (SDLC).
Anthology follows best practice guidance from many organizations to help strengthen the security of our products and programs. A few organizations are noted here:
- National Institute of Standards and Technology (NIST)
- SANS Institute
- Open Web Application Security Project (OWASP)
- Center for Internet Security (CIS)
Secure coding and the OWASP top 10 vulnerabilities
Anthology products are developed according to a set of development guidelines that are derived from OWASP, including specific countermeasures for OWASP Top Ten vulnerabilities.
Vulnerability Management Commitment and Disclosure Policy
Anthology's vulnerability management program is governed by this public-facing Vulnerability Management Commitment and Disclosure Policy. No software is perfect - in the event a security vulnerability is identified in a released product, Anthology's Security Team is ready to respond.
Anthology is committed to resolving security vulnerabilities carefully in accordance with the risk of the vulnerability. Such resolutions may lead to the release of a Security Advisory and/or any needed product update for our clients. In order to protect our clients and their data, we request that vulnerabilities be responsibly and confidentially reported to us so that we may investigate and respond.
Anthology’s products are complex. They run on diverse hardware and software configurations and are connected to many third party applications. All software modifications—big or small—require thorough analysis, as well as development and implementation across multiple product lines and versions. The software must also undergo localization, accessibility, and testing appropriate to its scope, complexity, and severity. Given the critical importance of our products to our clients, Anthology must ensure that they run correctly not only in our testing facilities, but also in customer environments. Accordingly, Anthology cannot commit to product updates on specific timelines, but we are committed to working expeditiously.
Malicious parties often exploit software vulnerabilities by reverse engineering published security advisories and product updates. It is important for clients to update software promptly and use our severity rating system as a guide to appropriately schedule upgrades.
Testing for security vulnerabilities
Clients should conduct all vulnerability testing against non-production instances of our products to minimize the risk to data and services.
How to report a vulnerability
Confidentially share details of the potential vulnerability by filling out a vulnerability submission form.
Provide details of the potential vulnerability so that we may validate and reproduce the issue quickly. Without the above information, it may be difficult if not impossible to address the potential vulnerability. Reports listing numerous potential vulnerabilities without detail will not be addressed without further clarification. Details should include:
- Type of vulnerability;
- Whether the information has been published or shared with other parties;
- Affected products and versions;
- Affected configurations; and
- Step-by-step instructions or proof-of-concept code to reproduce the issue.
Anthology security commitment
To all vulnerability reporters who follow this Policy, Anthology will do the following:
- Acknowledge receipt of your report;
- Investigate in a timely manner, confirming where possible the potential vulnerability;
- Provide a plan and timeframe for addressing the vulnerability if appropriate; and
- Notify the vulnerability reporter when the vulnerability has been resolved.