Camunda Platform Security

Built-in security and data privacy with Camunda Platform

Committed to Information Security and Privacy

Camunda maintains a comprehensive information security program that includes technical and organizational measures designed to protect our customers’ cluster data against unauthorized access, modification or deletion.

Camunda’s security and privacy programs are led by a Chief Information Security Officer (CISO) and a data protection officer (DPO). In addition, we have teams focusing on information security (InfoSec), regulatory compliance, software vulnerabilities, and Camunda Platform security operations to keep your data private and secure. 

Clear and Transparent Privacy Policy

Camunda respects the privacy rights of individuals. Our privacy statement clearly states how and when we collect personal data and how we use it. We’ve written our privacy statement in plain language to be transparent to our users and customers.

ISO 27001 Certified

Camunda Platform 8 is implemented on a modern, flexible, scalable, service-oriented architecture. Camunda has formally adopted an Information Security Program, which is certified on ISO 27001.

Strong Physical Security Controls

Camunda Platform 8 is hosted on the certified Google Cloud Platform. Camunda reviews the security certifications and practices of its infrastructure-as-a-service provider and sub-processors to ensure that there are appropriate physical security measures in place at all premises at which Camunda Platform 8 data is processed and stored.

Compliance With Principles of GDPR

Camunda has prepared for GDPR by carefully reviewing and documenting how it handles personal data, implementing technical and organizational measures to protect the personal data it does handle, and defining and implementing processes to respect the rights of data subjects, across all its products and services. Camunda is committed to operating in compliance with the principles of GDPR.

Protecting Your Account

At Camunda, we know that security is everyone’s responsibility. That’s why we bake security into the development of our products and into the foundation of Camunda Platform 8. The security and privacy of your Camunda Platform 8 data also relies on you keeping your clusters configured securely and maintaining the confidentiality of your Camunda Platform 8 login credentials.

Here’s a quick checklist:

  • Don’t share your credentials with others
  • Update your account profile to make sure information is correct and current
  • Add operational contacts as appropriate
  • Ensure that you’ve created secure passwords

If you need to make changes that are not offered in the Camunda Platform 8 Console, please create a Camunda Support case.

Report a Vulnerability

In order to report a vulnerability in the Camunda Products, please follow these steps:

  1. Create an account on the Camunda JIRA issue tracker
  2. Navigate to the issue creation screen
  3. Create a JIRA ticket in the Security (SEC) project of type Security Report. The issue will only be accessible by Camunda staff and you, the reporter.
  4. Please provide as many details as are known to you.

Once reported, Camunda staff will get back to you and treat your report according to our Security Issue Process.

Security Policy

As a core infrastructure component of our customers, the security of Camunda Products (also referred to as the ‘software’) takes top priority and is maintained constantly.

Information Security Standards

The security of the areas listed in the next section is ensured based on common industry best practices. Thus, the development of the software is being influenced by standards like OWASP Top 10CVSS and others.

Organizational Aspects of Security

Roles and Responsibilities

Camunda’s organizational structure includes a role dedicated to security. This role is assigned to a senior employee who is responsible for the establishment, administration and maintenance of this policy.

Security in context of the Systems Development Life Cycle (“SDLC”)

Application and System development follows a defined methodology that contains a preliminary review of information security requirements to ensure the following minimum standards.

Segregation of duties

Segregation of duties is incorporated into the SDLC so that a single person is unable to introduce security vulnerabilities into the software. The team responsible for software development is separated from the team responsible for the regressions testing and delivery of the software.

On-Going Software Development

A formal change management process is used when making changes to the software which includes the following minimum standards:

  1. Each code change by one software developer is reviewed and approved by a second software developer;
  2. Changes to the software must not be packaged into the final software artifacts (which are provided for download to the customers) by the same person who does the development; and
  3. A record of all changes to the software exists that identifies:
    • a brief description of each change that was made;
    • who made each change;
    • test cases for future automated regressions testing of this change;
    • who reviewed each change; and
    • the date and time when each change was made.

Review Frequency

Reviews of any new major or minor release shall be conducted to revalidate the software prior to making it available for download to the Customer.

Third Party Dependencies

Third party dependencies contained within the software are constantly being monitored. In case there are newer versions of these dependencies that include security relevant improvements, a plan to incorporate the updated versions is created.

Onboarding of Employees

New software developers are being introduced to our security policy and best practices during their onboarding process.

Security Issue Management

Reporting Security Issues and Vulnerabilities

Security vulnerabilities can be reported via the Camunda JIRA issue tracker. Find details in the Report a Vulnerability Guide. Reported vulnerabilities, associated documentation and the identity of reporters are treated confidentially throughout the entire process.

Vulnerabilities discovered by our enterprise customers are treated as bugs and the agreed SLAs apply.

Qualification

Once reported, Camunda proceeds to assess a vulnerability. This includes root cause analysis, as well as understanding the risk (how likely is the vulnerability to be exploited?) and impact (what can an attacker do when exploiting the vulnerability?) of the problem. This assessment is made in close collaboration with the reporter.

Remediation

Camunda creates a remediation plan to resolve security issues that are identified. Fixes are made available in the form of patch releases (enterprise customers only) and alpha/minor releases (community platform users).

Announcement

Once a fix release or a practicable workaround is available, Camunda informs its users on the Camunda Platform 7 Security Notices page or Camunda Platform 8 Security Notices page.

Security Acceptance and Maintenance

Acceptance

The software shall not be considered accepted until the security review has been completed and all security issues have been assigned to a remediation plan. The security review is part of the Regression Testing.

Automatic Regression Testing

For a release to be accepted, several automated regression tests must be passed. Testing the security relevant aspects of the software is part of this regression test.

Manual Regression Testing

For a release to be accepted, a manual regression test must be passed. Testing the security relevant aspects of the software is part of this manual regression test.

Penetration Testing

Camunda has contracted an independent, external security advisor to regularly conduct penetration tests of the software. The advisor operates according to industry best practices recommended by the OWASP organization such as the OWASP Testing Guide. The tools used for testing include Burp Suite and DefenseCode Thunderscan.

Results of penetration tests can be found here.

Any vulnerabilities detected are handled according to our process for security issue management.

Automatic Virus Scans

An automatic virus scan is part of our release process. Its catalogues are up to date and it is used to scan the released distributions our users can download. In addition automatic virus scans are being performed on our core infrastructure components.

Ready to get started?

Still have questions?