Camunda Platform Security
Built-in security and data privacy with Camunda Platform
Committed to Information Security and Privacy
Camunda maintains a comprehensive information security program that includes technical and organizational measures designed to protect our customers’ cluster data against unauthorized access, modification or deletion.
Camunda’s security and privacy programs are led by a Chief Information Security Officer (CISO) and a data protection officer (DPO). In addition, we have teams focusing on information security (InfoSec), regulatory compliance, software vulnerabilities, and Camunda Platform security operations to keep your data private and secure.
Clear and Transparent Privacy Policy
Camunda respects the privacy rights of individuals. Our privacy statement clearly states how and when we collect personal data and how we use it. We’ve written our privacy statement in plain language to be transparent to our users and customers.
ISO 27001 Certified
Camunda Platform 8 is implemented on a modern, flexible, scalable, service-oriented architecture. Camunda has formally adopted an Information Security Program, which is certified on ISO 27001.
Strong Physical Security Controls
Camunda Platform 8 is hosted on the certified Google Cloud Platform. Camunda reviews the security certifications and practices of its infrastructure-as-a-service provider and sub-processors to ensure that there are appropriate physical security measures in place at all premises at which Camunda Platform 8 data is processed and stored.
Compliance With Principles of GDPR
Camunda has prepared for GDPR by carefully reviewing and documenting how it handles personal data, implementing technical and organizational measures to protect the personal data it does handle, and defining and implementing processes to respect the rights of data subjects, across all its products and services. Camunda is committed to operating in compliance with the principles of GDPR.
Protecting Your Account
At Camunda, we know that security is everyone’s responsibility. That’s why we bake security into the development of our products and into the foundation of Camunda Platform 8. The security and privacy of your Camunda Platform 8 data also relies on you keeping your clusters configured securely and maintaining the confidentiality of your Camunda Platform 8 login credentials.
Here’s a quick checklist:
- Don’t share your credentials with others
- Update your account profile to make sure information is correct and current
- Add operational contacts as appropriate
- Ensure that you’ve created secure passwords
If you need to make changes that are not offered in the Camunda Platform 8 Console, please create a Camunda Support case.
Report a Vulnerability
In order to report a vulnerability in the Camunda Products, please follow these steps:
- Create an account on the Camunda JIRA issue tracker
- Navigate to the issue creation screen
- Create a JIRA ticket in the Security (SEC) project of type Security Report. The issue will only be accessible by Camunda staff and you, the reporter.
- Please provide as many details as are known to you.
Once reported, Camunda staff will get back to you and treat your report according to our Security Issue Process.
Security Policy
As a core infrastructure component of our customers, the security of Camunda Products (also referred to as the ‘software’) takes top priority and is maintained constantly.
Information Security Standards
The security of the areas listed in the next section is ensured based on common industry best practices. Thus, the development of the software is being influenced by standards like OWASP Top 10, CVSS and others.
Organizational Aspects of Security
Roles and Responsibilities
Camunda’s organizational structure includes a role dedicated to security. This role is assigned to a senior employee who is responsible for the establishment, administration and maintenance of this policy.
Security in context of the Systems Development Life Cycle (“SDLC”)
Application and System development follows a defined methodology that contains a preliminary review of information security requirements to ensure the following minimum standards.
Segregation of duties
Segregation of duties is incorporated into the SDLC so that a single person is unable to introduce security vulnerabilities into the software. The team responsible for software development is separated from the team responsible for the regressions testing and delivery of the software.
On-Going Software Development
A formal change management process is used when making changes to the software which includes the following minimum standards:
- Each code change by one software developer is reviewed and approved by a second software developer;
- Changes to the software must not be packaged into the final software artifacts (which are provided for download to the customers) by the same person who does the development; and
- A record of all changes to the software exists that identifies:
- a brief description of each change that was made;
- who made each change;
- test cases for future automated regressions testing of this change;
- who reviewed each change; and
- the date and time when each change was made.
Review Frequency
Reviews of any new major or minor release shall be conducted to revalidate the software prior to making it available for download to the Customer.
Third Party Dependencies
Third party dependencies contained within the software are constantly being monitored. In case there are newer versions of these dependencies that include security relevant improvements, a plan to incorporate the updated versions is created.
Onboarding of Employees
New software developers are being introduced to our security policy and best practices during their onboarding process.
Security Issue Management
Reporting Security Issues and Vulnerabilities
Security vulnerabilities can be reported via the Camunda JIRA issue tracker. Find details in the Report a Vulnerability Guide. Reported vulnerabilities, associated documentation and the identity of reporters are treated confidentially throughout the entire process.
Vulnerabilities discovered by our enterprise customers are treated as bugs and the agreed SLAs apply.
Qualification
Once reported, Camunda proceeds to assess a vulnerability. This includes root cause analysis, as well as understanding the risk (how likely is the vulnerability to be exploited?) and impact (what can an attacker do when exploiting the vulnerability?) of the problem. This assessment is made in close collaboration with the reporter.
Remediation
Camunda creates a remediation plan to resolve security issues that are identified. Fixes are made available in the form of patch releases (enterprise customers only) and alpha/minor releases (community platform users).
Announcement
Once a fix release or a practicable workaround is available, Camunda informs its users on the Camunda Platform 7 Security Notices page or Camunda Platform 8 Security Notices page.
Security Acceptance and Maintenance
Acceptance
The software shall not be considered accepted until the security review has been completed and all security issues have been assigned to a remediation plan. The security review is part of the Regression Testing.
Automatic Regression Testing
For a release to be accepted, several automated regression tests must be passed. Testing the security relevant aspects of the software is part of this regression test.
Manual Regression Testing
For a release to be accepted, a manual regression test must be passed. Testing the security relevant aspects of the software is part of this manual regression test.
Penetration Testing
Camunda has contracted an independent, external security advisor to regularly conduct penetration tests of the software. The advisor operates according to industry best practices recommended by the OWASP organization such as the OWASP Testing Guide. The tools used for testing include Burp Suite and DefenseCode Thunderscan.
Results of penetration tests can be found here.
Any vulnerabilities detected are handled according to our process for security issue management.
Automatic Virus Scans
An automatic virus scan is part of our release process. Its catalogues are up to date and it is used to scan the released distributions our users can download. In addition automatic virus scans are being performed on our core infrastructure components.