Anthology has a robust product security program that is aligned to NIST standards and is certified to the ISO 27001 standard for information security management systems and maintains a data privacy information management system certified to ISO 27701. As a cloud service provider entrusted with the security of our clients’ data, we have incorporated the ISO 27017 and ISO 27018 controls into our compliance framework.
Anthology's security program implements a global approach to our operations through a secure controls framework, utilizing a comprehensive set of high standards that align with the evolving landscape of global and regional security standards. Several of Anthology’s products complete annual SOC 2 Type 2 examinations and/or hold additional regional certifications and authorizations. We actively maintain responses to the Higher Education Community Vendor Assessment Toolkit (HECVAT) for our clients, enabling transparency and trust in our data privacy practices. We are committed to continuous improvement and to frequently engage in independent, third-party assessments of our practices to push the bar on our compliance program, security features and robustness in Anthology products.
Built with security in mind
Anthology is committed to providing our clients with secure applications. Anthology develops our products according to a set of security engineering guidelines derived from many organizations such as the Open Web Application Security Project (OWASP), including specific countermeasures for OWASP Top Ten vulnerabilities. Anthology incorporates these security practices in all phases of the software development lifecycle (SDLC).
Anthology follows best practice guidance from many organizations to help strengthen the security of our products and programs, including:
- National Institute of Standards and Technology (NIST)
- SANS Institute
- Open Web Application Security Project (OWASP)
- Center for Internet Security (CIS)
Secure coding and the OWASP top 10 vulnerabilities
Anthology products are developed according to a set of development guidelines that are derived from OWASP, including specific countermeasures for OWASP Top Ten vulnerabilities.
Anthology performs internal security testing at the code-level (static analysis) and application-level (dynamic analysis) for selected products in support of our compliance objectives. Furthermore, in line with best practices, Anthology obtains security penetration testing from third-party security vendors.
Vulnerability Management Commitment and Disclosure Policy
Anthology's vulnerability management program is governed by this public-facing Vulnerability Management Commitment and Disclosure Policy. No software is perfect - in the event a security vulnerability is identified in a released product, Anthology's Security Team is ready to respond.
Anthology is committed to resolving security vulnerabilities carefully in accordance with the risk of the vulnerability. Such resolutions may lead to the release of a Security Advisory and/or any needed product update for our clients. In order to protect our clients and their data, we request that vulnerabilities be responsibly and confidentially reported to us so that we may investigate and respond.
Anthology’s products are complex. They run on diverse hardware and software configurations and are connected to many third-party applications. All software modifications—big or small—require thorough analysis, as well as development and implementation across multiple product lines and versions. The software must also undergo localization, accessibility, and testing appropriate to its scope, complexity, and severity. Given the critical importance of our products to our clients, Anthology must ensure that they run correctly not only in our testing facilities, but also in customer environments. Accordingly, Anthology cannot commit to product updates on specific timelines, but we are committed to working expeditiously.
Malicious parties often exploit software vulnerabilities by reverse engineering published security advisories and product updates. It is important for clients to update software promptly and use our severity rating system as a guide to appropriately schedule upgrades.
Testing for security vulnerabilities
Clients should conduct all vulnerability testing against non-production instances of our products to minimize the risk to data and services.
How to report a vulnerability
Share details of the potential vulnerability by filling out a vulnerability submission form. You may choose to submit anonymously or you may provide your contact information on the form. Choosing to remain anonymous will preclude you from receiving updates and/or follow-up inquiries regarding the submission.
Provide details of the potential vulnerability so that we may validate and reproduce the issue quickly. Without the above information, it may be difficult if not impossible to address the potential vulnerability. Reports listing numerous potential vulnerabilities without detail will not be addressed without further clarification. Details should include:
- Type of vulnerability;
- Whether the information has been published or shared with other parties;
- Affected products and versions;
- Affected configurations; and
- Step-by-step instructions or proof-of-concept code to reproduce the issue.
Anthology security commitment
To all vulnerability reporters/researchers who follow this Policy and provide contact information, Anthology will do the following:
- Acknowledge receipt of your report;
- Investigate in a timely manner, confirming where possible the potential vulnerability;
- Provide a plan and timeframe for addressing the vulnerability if appropriate; and
- Notify the vulnerability reporter when the vulnerability has been resolved.