ScienceLogic Security Overview for SL1
SL1is specifically designed to provide a secure environment for monitoring your network. This document provides an overview of the security features of SL1 appliances.
SL1 addresses two major aspects of system and network security:
- SL1 appliances are lean, hardened, and configured for maximum security.
- SL1 integrates with and complements your existing network and system security (policies, software, and hardware) and adds powerful new features to help you monitor and maintain all the devices in your network.
The ScienceLogic Policy for Responding to Vulnerabilities
The following settings describe the different response times for ScienceLogic to address vulnerabilities that might impact SL1:
- Critical: 24-48 hours after a fix is available
- Important: 1 business week
- Medium/Low: With next major release; usually quarterly
ScienceLogic uses automated penetration tests that are included in the Quality Assurance process for each release. ScienceLogic uses a variety of scanning tools such as Nessus and Burp to detect vulnerabilities in the user interface and platform. The tools specifically look for the OWASP Top Ten Vulnerabilities such as, various XSS, SQL injection, broken authentication, and session management.
ScienceLogic validates the Top Ten Security Configurations using the most current version of Nessus. Items such as validating functional level access controls and updating modules with known vulnerabilities are currently checked in both manual and automated fashion.
Bi-annually, ScienceLogic contracts with independent, third-party penetration testers to provide independent penetration testing. These third parties conduct bi-annual tests on current and upcoming SL1 releases with the intent of constantly increasing our security posture in response to the expanding set of known vulnerabilities identified by industry experts. Additional corporate and SaaS penetration testing is performed on an annual basis.
In addition, ScienceLogic customers often perform additional penetration tests tailored to their unique requirements. These companies report their findings back to ScienceLogic’s security team for remediation.
ScienceLogic responds to the penetration tests performed by ScienceLogic and ScienceLogic customers with the appropriate fixes and updates.
ScienceLogic customers may request an executive summary of ScienceLogic's penetration tests, but ScienceLogic customers must have a fully executed Non-Disclosure Agreement (NDA) that is signed by both parties to have access to this documentation.
Operating System Scan
The SL1 operating system is scanned daily to identify new vulnerabilities. Potential vulnerabilities are evaluated by the security team to determine the likelihood and impact of exploit on SL1. If the security team identifies high and critical vulnerabilities, they are escalated to engineering for remediation within the defined time frame.
Limited Open Ports
Each SL1 appliance uses a strictly limited number of ports, based on the needs of that SL1 appliance. By limiting the number of open ports, ScienceLogic prevents exposing any services that might be listening on those ports to exploits.
Department of Defense Information Network Approved Products List (DODIN APL)
ScienceLogic is named on the US Department of Defense (DoD) Information Network Approved Products List, or DODIN APL (formerly known as the Unified Capability Approved Products List, or UC APL). ScienceLogic was the first and only end-to-end IT infrastructure monitoring company ever to conform to the DoD’s rigorous security and interoperability standards.
As part of the DODIN APL agreement, ScienceLogiccomplies with the request for timely patching of issues in order to maintain the operational availability, confidentiality, and integrity of customer systems. To accomplish this, ScienceLogic works with customers to address any critical security issues within 24 hours, and issues that are classified as important within one business week.
FIPS 140-2 Compliant Cryptography
Products that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information must be certified for use in U.S. government departments and regulated industries (such as financial and health-care institutions).
Federal Information Processing Standards (FIPS) are the criteria and guidelines for information processing developed by NIST and approved by the Secretary of Commerce as requirements for the federal government for information assurance and interoperability.
SL1 uses FIPS 140-2 compliant cryptography methods for data encryption and communication between SL1 appliances and storing of passwords.