SERENA SOFTWARE Serena Service Manager Security



Similar documents
SERENA SOFTWARE Providing Custom Documentation for Serena Business Manager

Where every interaction matters.

Securing SaaS Applications: A Cloud Security Perspective for Application Providers

Security Issues in Cloud Computing

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

SERENA SOFTWARE Authors: Bill Weingarz, Pete Dohner, Kartik Raghavan, Amitav Chakravartty

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Devising a Server Protection Strategy with Trend Micro

Attack Vector Detail Report Atlassian

PCI DSS 3.0 Compliance

Cloud Security:Threats & Mitgations

QuickBooks Online: Security & Infrastructure

05.0 Application Development

Data Protection: From PKI to Virtualization & Cloud

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Devising a Server Protection Strategy with Trend Micro

Passing PCI Compliance How to Address the Application Security Mandates

Effective End-to-End Cloud Security

Serena Business Manager Performance Test Results

Barracuda Web Site Firewall Ensures PCI DSS Compliance

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

PCI Compliance Updates

How To Protect A Web Application From Attack From A Trusted Environment

SERENA SOFTWARE Authors: Bill Weingarz, Pete Dohner, Kartik Raghavan, Amitav Chakravartty

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Magento Security and Vulnerabilities. Roman Stepanov

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Privacy + Security + Integrity

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

OWASP AND APPLICATION SECURITY

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

How To Protect Your Cloud From Attack

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Connectivity to Polycom RealPresence Platform Source Data

SANS Top 20 Critical Controls for Effective Cyber Defense

NCR CLOUD SERVICES OVERVIEW. An NCR Brochure

Safeguarding the cloud with IBM Dynamic Cloud Security

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Web Application Report

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Rational AppScan & Ounce Products

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Vistara Lifecycle Management

IBM Connections Cloud Security

全 球 資 安 剖 析, 您 做 確 實 了 嗎? Albert Yung Barracuda Networks

serena.com PROCESS CREATES SUCCESS Accelerate it with Serena TeamTrack

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Overview of the Penetration Test Implementation and Service. Peter Kanters

Global Partner Management Notice

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

OWASP Top Ten Tools and Tactics

How to complete the Secure Internet Site Declaration (SISD) form

Securing the Service Desk in the Cloud

PRIVACY, SECURITY AND THE VOLLY SERVICE

IT Security & Compliance. On Time. On Budget. On Demand.

Service Management from Serena Software. Orchestrated. Visibility, Flexibility and Ease of Use through Process-Based IT Service Management

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Achieving PCI Compliance Using F5 Products

Guidelines for Web applications protection with dedicated Web Application Firewall

Take Control of Identities & Data Loss. Vipul Kumra

SysAid Cloud Architecture Including Security and Disaster Recovery Plan

CloudCheck Compliance Certification Program

Workday Mobile Security FAQ

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Proven LANDesk Solutions

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

GoodData Corporation Security White Paper

Information Technology Policy

TENDER NOTICE No. UGVCL/SP/III/608/GPRS Modem Page 1 of 6. TECHNICAL SPECIFICATION OF GPRS based MODEM PART 4

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

CONTENTS. PCI DSS Compliance Guide

Security Controls for the Autodesk 360 Managed Services

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

External Supplier Control Requirements

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

PCI DSS Reporting WHITEPAPER

Sitefinity Security and Best Practices

Cloud Security Framework (CSF): Gap Analysis & Roadmap

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Web application security

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

ALERT LOGIC FOR HIPAA COMPLIANCE

Transcription:

SERENA SOFTWARE Serena Service Manager Security 2014-09-08

Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software

Operational Security (On-Demand Only) Who Should Read This Paper? This document describes security aspects of Serena Service Manager (SSM). The intended audience for this white paper includes: Technical decision makers who are considering Serena Service Manager as their new IT Service Management application. IT Analysts and IT Managers who are interested in understanding the security aspects of SSM. Overview Service Manager is a highly flexible IT service management (ITSM) offering that delivers highly available, secure, and scalable applications. Service Manager leverages the Serena Business Manager (SBM) platform to provide a secure, reliable, and highly adaptable ITSM solution. Service Manager is designed to automate the complete service delivery process, provide a simple yet powerful role-based experience to all service desk users, and deliver complete visibility into the status of issues across the service lifecycle through rich reports and dashboards. It also aids with ITIL compliance while providing a foundation that can be extended to streamline other core IT processes. Security Aspects This section describes aspects of security that are provided by the SBM platform, which powers Serena Service Manager. SBM provides confidentiality, integrity, and availability of customer data. SSM applications and data are secured from various types of threats via the security layers illustrated below: OPERATIONAL SECURITY (ON-DEMAND ONLY) The day-to-day operational security of SBM on-demand includes adherence to the following: Policy Serena Service Manager Security 3

Security Aspects The operational security policy defines the responsibilities and authorization of the IT team that manages SBM in the cloud. Change management process The IT team has defined precise processes that control how changes to the network, hardware, and software are executed. The state of the hardware, operating system, and configurations are monitored and all changes are logged and executed in a controlled way. The logs are evaluated and checked for potential mis-configurations. Access control There is very restricted access to the network devices and hardware where SBM runs. All log in attempts are tracked for security purposes. Patch management All operating system and anti-virus software updates are implemented on-time via automated processes. The automation process helps to run the update software with no human interaction, while ensuring updates arrive on time to reduce the risk of new threats and vulnerabilities. NETWORK SECURITY SBM is designed to ensure that all data traveling in the network is secured to prevent any leakage of sensitive information. This involves the use of strong network traffic encryption techniques such as Secure Socket Layer (SSL), multi-layer security services, and the most advanced state-of-the-art tools like Intrusion Detection and Prevention Systems (IDPS) to detect any malicious activities. APPLICATION SECURITY With each release, Serena performs extensive black-box and white-box testing to ensure there is no data leakage. The solutions are also checked against possible security vulnerabilities by using strong encryption techniques for data security and fine-grained authorization to control access to data. Serena uses the following methods and practices to ensure application and data security: Confidentiality Confidentiality ensures that a customer's data is only accessible by authorized entities. SBM provides confidentiality via the following mechanisms: Identity and Access Management Designed to ensure that only authenticated entities are allowed to access the system. Encryption SBM encrypts critical data in the database. SmartCard Authentication Provides a secure and reliable authentication method that allows users who have a current Smart Card (containing valid certificates and identity information) to gain access to a Smart Card-enabled SBM system once the proper PIN is provided. Identity and Access Management The strongest security controls have no protection against an attacker who gains unauthorized access to credentials or keys. Strong security not only requires running the system in a secure mode; it also requires policies that govern exactly who, what, when, how, and from what location users can access specific IT systems and data (in addition to related auditing requirements). SBM provides Single Sign-On (SSO) authentication out-of-the-box, while interacting with components at run time and design time. It also provides a complete audit trail of all interactions and changes that are performed by either humans or applications during a session. SBM-API Authentication 4 Serena Software

Security in the On-Demand (SAAS) Environment The SBM API provides Web services via the Simple Object Access Protocol (SOAP) protocol, which enables integrations with external systems. The protocol can be configured to run over SSL using customer credentials for authentication. Additionally, all interaction is controlled by the role of the authenticated user, which provides additional security such that unsolicited users cannot access restricted data in SBM. SSL Authentication for Internet Traffic For on-premise customers, all communication between SBM and end users or external systems can be protected with SSL. (SSL is enabled for on-demand customers automatically). Client Certificate Authentication On-premise customers can also enable bi-directional (or two-way SSL authentication) between the components in SBM. Client certificate authentication provides tighter security for your entire SBM installation because once trust is established, each machine can reliably identify itself and provide assurance of its identity to the server. Application Vulnerability Assessment Internet applications are always vulnerable to attacks by various malicious users, abusive bots, and crawlers that can exploit weaknesses in the data security model to gain unauthorized access to important data. SBM is scanned for Web application security as part of the certification process upon each release, and it is thoroughly tested using the following assessments to validate the security of the enterprise data that is stored in the database. Cross site scripting (XSS) Access control weaknesses OS and SQL injection flaws Cross site request forgery (CSRF) Cookie manipulation Hidden field manipulation Insecure storage Insecure configuration Serena understands that any vulnerability that is detected during these tests can be exploited to gain access to sensitive enterprise data and ultimately lead to financial loss. Our development and quality assurance organizations endeavor to expose and resolve these types of potential vulnerabilities during each testing cycle. Serena takes security seriously. We strive to aggressively enhance SBM to safeguard against any new vulnerabilities that are discovered. SECURITY IN THE ON-DEMAND (SAAS) ENVIRONMENT The software industry has changed dramatically over the last few years. With the popularity of cloudcomputing platforms, companies are looking for packaged business applications that are available ondemand. Companies are taking advantage of the Software-as-a Service (SAAS) model to reduce IT costs normally associated with traditional on-premise applications (such as managing hardware requests, patches, and IT services). The popularity of SAAS-based business applications increases the provider s responsibility to provide a cloud-based platform that offers outstanding service delivery and security. For SSM on-demand, the security layers and techniques described above are implemented and managed by a team of trained, experienced, and certified security professionals. Confidentiality is ensured for on-demand customers. The data for each customer is isolated data from one customer is not visible to any other customer (or tenant in the multi-tenant environment). SSL is enabled for end users by default for SSM on-demand. To improve performance, all internal communication is performed using HTTP, but it is protected by firewall. The SSL certificates are procured from approved providers such that end user browsers can fully trust the certificate authenticity while accessing the application. Serena Service Manager Security 5

Reference SSM on-demand also provides enterprise-level data protection. The data is regularly backed up to facilitate quick recovery in case of disaster. Full data back-ups are taken weekly; daily incremental back-ups and transaction logs are taken every four hours. The hosting provider has been certified by PCI Council DSS 1.2 for data protection. Reference ABOUT SERENA Serena Software, Inc. provides Orchestrated IT solutions to the Global 2000. Serena's core purpose is to advance the business value of IT. Our 4,000 active enterprise customers, encompassing almost one million users worldwide, have made Serena the largest independent ALM vendor and the only one that orchestrates DevOps, the processes that bring together application development and operations. Headquartered in Silicon Valley, Serena serves enterprise customers from 29 offices in 14 countries. Serena is a portfolio company of HGGC. CONTACT Web site: http://www.serena.com/company/contact-us.html Copyright 2014 Serena Software, Inc. All rights reserved. Serena, TeamTrack, ChangeMan, PVCS, StarTool, Collage, and Comparex are registered trademarks of Serena Software, Inc. Change Governance, Command Center, Dimensions, Mover and Composer are trademarks of Serena Software, Inc. All other product or company names are used for identification purposes only, and may be trademarks of their respective owners. 6 Serena Software

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information