Security Commitments

As an organization dedicated to protecting and securing our customers’ applications, Synopsys Software Integrity Group (SIG) is equally committed to our customers’ data security and privacy. This statement is meant to provide SIG customers and prospects with the latest information about our systems, compliance certifications, processes, and other security-related activities.

Product security assessments

Synopsys regularly performs a variety of security assessments on both the application level as well as the environments that host our applications. These include:

  • Product-on-product (PoP) testing—each release of a product is scanned for security vulnerabilities using Synopsys SIG products, including Black Duck and Coverity.
  • In-depth internal security assessments—for major new features, we include a combination of penetration tests, code reviews, and architectural risk assessments.
  • Threat modeling—for major new releases, SIG creates and/or updates threat models that provide a baseline for other security testing activities.

Security for Software as a Service

Our SaaS offerings utilizes industry leading cloud services providers including Amazon Web Services (AWS) and Google Cloud Platform (GCP), which are known for their security and protections.

In addition to the security provided by our cloud service providers (CSP), SIG uses real-time monitoring tools for cloud configuration and container integrity, a web application firewall, and other security controls.

Access management

  • Only the customer has access to its own data. If SIG employees need access to customer data for troubleshooting or support purposes, customer permission is required to grant access.
  • Multi-factor authentication (MFA) capability is provided to customers for accessing SIG applications.

Encryption

All customer data is encrypted in transit and at rest. Beyond mass storage encryption sensitive data is also secured using application layer encryption.

All persistent data is encrypted at rest in the CSPs using AES 256-bit encryption or better.

Availability, backup, and disaster recovery

  • High availability is achieved using the native cloud orchestration capabilities of AWS and GCP.
  • Customer data is backed up daily with a 7-day retention policy.
  • If individual containers of VM fail within a CSP availability zone, they will recover automatically due to the cloud-native architecture. If there is an outage for a complete CSP availability zone or region, there is a process that will create a new instance in a different availability zone or region. This process is manual and takes 15-30 minutes, excluding the time to load the new customer database with a copy of the backup.
  • In general, across all types of disaster situations, including failures beyond core infrastructure, SIG’s recover time objective (RTO) is one (1) business day and the recovery point objective (RPO) is 24 hours.

Compliance

AICPA SOC

SOC 2 Type 1

Covering security, availability, and confidentiality