Secure development controls
This page is an overview of all security controls that are included in the Dynatrace Security Development Lifecycle (SDL). The following sections provide more detail about these controls and practices, which are enforced by Dynatrace across all business-critical product components.
For more information about how Dynatrace secures customer data in production, see Data security controls.
Security-critical application components require a threat model in the design phase. This threat model is created by product and security architects.
Evaluation of external services and libraries
Security audits are performed on all external third-party vendors and services before they're put to use by the security teams. All third-party libraries are evaluated for quality, performance, licensing, and vulnerabilities and require approval before being used.
Every code change is approved by a peer developer. Changes made to security-critical areas of the product have to be additionally approved by security personnel.
Changes made to the main code line require a pull request that passes through numerous automated tests, including a selected set of static code-analysis security tests.
Static code analysis
Static code analysis and static application security testing (SAST) are performed daily. Rules and plugins are actively maintained by the Dynatrace code quality team comprised of software engineers and security experts.
Plugins include pre-defined and self-developed detection rules for security vulnerabilities and bugs.
Third-party library scans
Third-party libraries are centrally managed with a software composition analysis tool (SCA). Daily scans are performed, security vulnerabilities and license risks are detected, and remediation tickets are created.
Automated security tests
Individual development teams implement automated security tests in the form of unit tests, integration tests, or UI tests that are executed automatically as part of the CI/CD pipeline.
Installer packages are automatically signed in the build pipeline using code signing certificates. Windows installers are signed with extended validation (EV) code-signing certificates.
Also, signature verification is performed automatically during installation and updates.
Plugins and extensions built by Dynatrace are signed, and the signature is validated when they're activated on hosts. Any change to their contents invalidates the signature and prevents activation.
Dynatrace has a dedicated team of certified penetration testers who regularly test new and existing features using state-of-the-art penetration-testing tools.
Intrusion detection and incident response
All critical systems are monitored by Dynatrace and intrusion-detection systems. Critical events trigger an incident response process.
Weekly web-application vulnerability scans are performed as dynamic application security tests (DAST).
All public-facing and critical internal systems are scanned weekly using vulnerability-scanning tools.
Cloud security scans
All critical cloud accounts are regularly checked for security misconfigurations and non-compliant settings.
External penetration testing
Annually, an extensive penetration test of all Dynatrace product components is performed by an independent security firm. Additional external penetration tests are scheduled on demand, the results of which are shared with our customers under a non-disclosure agreement (NDA).
Bug bounty program
Dynatrace runs a private bug bounty program on HackerOne.
Vulnerability tracking and KPIs
All security issues and vulnerabilities are tracked in a central ticketing system, which is also used for all other work-related tasks by other teams. The security teams categorize and rate all vulnerabilities using the Common Vulnerability Scoring System (CVSS). Remediation timelines for each vulnerability severity are defined and continuously monitored.
Central security dashboards and quarterly reports are made available to all teams. For identified hotspots, improvements are planned and implemented.
Security training and onboarding programs
All Dynatrace employees are expected to attend and successfully complete annual security awareness programs, which cover our corporate and product security policies.
For new employees, the annual security awareness program and additional product security training are part of the onboarding program.