From 7d0608c31011afcf948f836343d3aee51fd2ec51 Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva Date: Fri, 25 Oct 2024 18:49:24 +0300 Subject: [PATCH 01/19] docs(common): add security docs --- _config.yml | 9 +++-- security/faq.md | 71 ++++++++++++++++++++++++++++++++++ security/overview.md | 90 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 167 insertions(+), 3 deletions(-) create mode 100644 security/faq.md create mode 100644 security/overview.md diff --git a/_config.yml b/_config.yml index 555525f5dd..55687f6cfa 100644 --- a/_config.yml +++ b/_config.yml @@ -42,19 +42,22 @@ navigation: "accessibility": title: "Accessibility" position: 17 + "security": + title: "Security" + position: 18 "*deployment": title: "Deployment" - position: 18 + position: 19 "upgrade": title: "Upgrade" - position: 19 + position: 21 "upgrade/breaking-changes": title: "Breaking Changes" "upgrade/rendering-changes": title: "Rendering Changes" "how-to": title: "How To" - position: 20 + position: 23 "getting-started/vs-integration": title: "Visual Studio Integration" position: 25 diff --git a/security/faq.md b/security/faq.md new file mode 100644 index 0000000000..7146004129 --- /dev/null +++ b/security/faq.md @@ -0,0 +1,71 @@ +--- +title: FAQ +page_title: FAQ +description: "Find answers to common questions about securing Telerik UI for Blazor components, including how to report vulnerabilities, handle third-party dependencies, and receive security fixes." +slug: security-faq +tags: telerik, blazor, security +published: True +position: 3 +--- + +# Frequently Asked Questions (FAQ) + +In this article, you will find essential information and resources to help you secure Telerik UI for Blazor components. Whether you need to report vulnerabilities, manage third-party dependencies, or understand how security fixes are delivered, this FAQ provides clear guidance on our security processes. Explore best practices and learn how Progress ensures the highest level of security for its products, from vulnerability reporting to compliance with industry standards. + +## How can I submit a security vulnerability report? + +If you have identified a potential security vulnerability in a Telerik or Kendo UI product, you can report it through the following channels: + +- **For Progress Customers**: Submit a security report by opening a support ticket through the [Technical Support Center](https://www.telerik.com/account/support-center). Provide detailed information, including the steps to reproduce the issue and any relevant reports or screenshots. + +- **For Security Researchers**: Ethical hackers and security researchers can report vulnerabilities through our [Bugcrowd Vulnerability Disclosure Program](https://bugcrowd.com/engagements/whatsupgold-vdp). This platform ensures that security issues are addressed efficiently and transparently. + +We will review the report and follow up in line with our security processes, making every effort to resolve confirmed vulnerabilities in a timely manner. + +--- + +## What if clients are using a third-party scanning tool and want our assessment? + +Clients can open a support ticket through the [Technical Support Center](https://www.telerik.com/account/support-center) for the respective product and submit detailed information, including scan reports (PDF/Word/Excel/Screenshot) triggered against a no-minified version of the scripts and steps to reproduce or evidence of the issue. Our team will review and respond accordingly. We treat Security Vulnerability reports with **highest priority** and we engage with our internal Security Champions for revisions. + +> Tip: We recommend running the scan against the latest product version, as the problem may have already been resolved. + +--- + +## What is Progress's policy on handling third-party dependencies? + +Progress uses leading commercial tools to automatically monitor and update third-party dependencies in our Telerik and Kendo GitHub projects. Alerts are set up for all GitHub-hosted products, and any identified vulnerable dependencies are addressed by the repository owners and our dedicated security team. + +Note: Our definition of "done" includes successful builds that are scanned using top security scanning tools, and the resolution of any security alerts. + +--- + +## Is security integrated into the CI pipeline? + +Yes, for example, our CI builds are integrated with some of the leading security scanning tools to ensure that new code commits do not introduce vulnerabilities or insecure code. + +--- + +## How does Progress prioritize security reports? + +We prioritize security vulnerability reports with the highest urgency. When we receive an inquiry or vulnerability report, we begin by analyzing the issue to determine whether it's a false positive or a valid concern. If the report is confirmed as valid, we assess its severity using the CVSS (Common Vulnerability Scoring System) and promptly release a patch based on the severity level. + +--- + +## How are security fixes shipped? + +Security fixes are typically included in the next product release. Similar to the bugfixes policy, we maintain and commit to support the latest version of the product. That said, if you want to benefit from a security fix, you would need to upgrade to the version where the fix exists. + +--- + +## How are customers notified about security fixes? + +Once a vulnerability is fixed, we aim to release a patched version of the product. Depending on the severity of the issue, we may notify customers through CVE publications, email, blog posts, KB articles, or Release Notes for the specific product. + +--- + +## Does Progress/Telerik have any security certifications or accreditations, such as SOC 2 or other industry-recognized standards? + +Yes, Progress and DevTools products perform annual SOC 2 compliance, which validates our commitment to security, confidentiality, and privacy. You can find more information about our compliance on the [Progress Trust Center](https://www.progress.com/trust-center). Additionally, we align our security practices with industry-leading frameworks to maintain and continually improve our high security standards. + + \ No newline at end of file diff --git a/security/overview.md b/security/overview.md new file mode 100644 index 0000000000..44d4418648 --- /dev/null +++ b/security/overview.md @@ -0,0 +1,90 @@ +--- +title: Overview +page_title: Overview +description: "Learn how to secure Telerik UI for Blazor components and your Web Forms app with best practices, vulnerability reporting, and component-specific security guidelines." +slug: security-overview +tags: telerik, blazor, security, xss, owasp, csp +published: True +position: 1 +--- + +# Security + +In today's world, security is more critical than ever. At Progress, we prioritize our customers' security, ensuring that our products are built with a strong foundation to safeguard their data and operations. We are committed to identifying and addressing potential vulnerabilities to provide our clients with the highest level of protection and confidence in our products. + +## Purpose of this Article + +This article covers common security-related questions, best practices, and the tools and processes we use to ensure the security of our products. It also outlines how customers and security researchers can report security issues, including our processes to mitigate risks. We provide guidance for submitting security reports through technical support or Bugcrowd, ensuring a clear pathway for identifying and addressing security concerns. + +## Reporting Security Vulnerabilities + +Whether you're a customer encountering an issue or a security researcher, we have processes to ensure a swift response and evaluation. Below are the steps for Progress customers and security researchers to report potential security vulnerabilities: + +### For Progress Customers + +At Progress, we work diligently to identify and fix security vulnerabilities in our products. Customers who believe they have identified a security issue should contact Technical Support for an evaluation. This allows us to document the issue and have our engineering teams confirm and address it as needed. Customers can submit reports through our support center: +- [Technical Support](https://www.telerik.com/account/support-center) +- [Contact Us](https://www.telerik.com/account/support-center/contact-us/technical-support) + +### For Security Researchers + +We value the contributions of security researchers and ethical hackers. If a researcher identifies a potential vulnerability, they can submit it via our [Bugcrowd](https://bugcrowd.com/engagements/devtools-vdp) platform. We aim to meet the following response times: + +| Type of Response | SLO (in business days) | +|------------------|------------------------| +| First Response | 7 days | +| Time to Triage | 10 days | +| Time to Resolution| Depends on severity | + +For more information, visit: +- [Bugcrowd Vulnerability Disclosure Program](https://bugcrowd.com/engagements/devtools-vdp) +- [Progress Trust Center](https://www.progress.com/trust-center) +- [Vulnerability Reporting Policy](https://www.progress.com/trust-center/vulnerability-reporting-policy) + + +## What We Do to Mitigate Risk + +Our dedicated security team, comprised of experienced developers and security experts—our "Security Champions"—reviews all web, desktop, and mobile products technologies for potential vulnerabilities. These vulnerabilities may be internally identified, reported by third-party tools, or flagged externally. + +We actively manage the following strategies to mitigate risks: + +### Prevention + +Our primary goal is to prevent security issues before product delivery. We use the following prevention techniques: + +- **Internal Logging**: Every potential security issue is logged, researched, tested, and verified. Issues deemed valid are assessed using a CVSS score, with critical issues prioritized. +- **Third-Party Static Analysis Testing**: We utilize some of the leading security scanning tools in the market to scan for vulnerabilities in our software code. Regular scans are conducted, and results are reviewed to address vulnerabilities and mitigate false positives. + + +## Third-Party Dependencies Handling + +We leverage leading commercial tools to automatically monitor and update third-party dependencies in our Telerik and Kendo GitHub projects, ensuring they remain secure and up-to-date. Alerts are enabled for all GitHub-hosted products, and the identified vulnerable dependencies are addressed by the repository code owners and security champions. + +>Note: Our definition of "Done" includes successful builds that are scanned using top security scanning tools, and the resolution of any security alerts. + + +## Content Security Compliance + +Content Security Policy (CSP) is a critical security measure that helps detect and mitigate the risks of content injection vulnerabilities, such as cross-site scripting (XSS) and data injection attacks. Telerik UI for Blazor components are designed to be CSP-compliant, ensuring secure integration into customer projects. + +For more detailed information on CSP compliance for Telerik UI for Blazor, refer to the following article: +- [Telerik UI for Blazor - Content Security Policy]({%slug troubleshooting-csp%}) + +This resource provides guidelines on how to configure your Blazor application to comply with CSP requirements when using the Telerik UI for Blazor components. + +## OWASP Top 10 Alignment + +We closely monitor the [OWASP Top 10](https://owasp.org/www-project-top-ten/) list of security risks and align our security practices with these industry-leading standards. Regular updates ensure that our products address evolving security threats and vulnerabilities. + +## Telerik UI for Blazor Component-Specific Security Guidelines + +Telerik UI for Blazor provides a variety of security-related articles for individual components. These resources outline best practices and recommendations for securing each component and mitigating potential risks. Below is a list of available security articles for specific components: + +* [Upload - Security Guidelines]({%slug upload-overview%}#security) + + + +These resources provide specific guidelines for configuring the components securely and mitigating the risks associated with their usage. + +For more detailed answers to common security-related questions, please refer to our [Security FAQ page]({%slug security-faq%}). + \ No newline at end of file From 4ff05fbf9d15b38dfaa2fc11a8b1e88372140c3a Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva Date: Tue, 29 Oct 2024 17:37:04 +0200 Subject: [PATCH 02/19] chore(common): secrity docs polishment --- _contentTemplates/editor/general.md | 2 +- components/editor/overview.md | 5 ++++- security/faq.md | 2 +- security/overview.md | 7 ++----- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/_contentTemplates/editor/general.md b/_contentTemplates/editor/general.md index f81f5d7a03..c464d4da0e 100644 --- a/_contentTemplates/editor/general.md +++ b/_contentTemplates/editor/general.md @@ -1,6 +1,6 @@ #app-must-sanitize-content -The application must sanitize the content before passing it to the editor and, optionally, before saving it to its storage after obtaining it from the editor. It is up to the application to ensure there is no malicious content (such as input sanitization, XSS attack prevention and other security concerns). +The application must sanitize the content before passing it to the Editor and, optionally, before saving it to its storage after obtaining it from the Editor. It is up to the application to ensure there is no malicious content (such as input sanitization, XSS attack prevention and other security concerns). #end diff --git a/components/editor/overview.md b/components/editor/overview.md index 5f6fc80284..bcaefedf90 100644 --- a/components/editor/overview.md +++ b/components/editor/overview.md @@ -56,7 +56,10 @@ The Blazor HTML Editor interacts with its content (value) like all standard comp Be aware that [the Editor and the browser treat empty paragraphs differently]({%slug editor-kb-missing-br-tags-in-value%}). ->important @[template](/_contentTemplates/editor/general.md#app-must-sanitize-content) +## Security + +@[template](/_contentTemplates/editor/general.md#app-must-sanitize-content) + ## Validation diff --git a/security/faq.md b/security/faq.md index 7146004129..48c100d594 100644 --- a/security/faq.md +++ b/security/faq.md @@ -28,7 +28,7 @@ We will review the report and follow up in line with our security processes, mak Clients can open a support ticket through the [Technical Support Center](https://www.telerik.com/account/support-center) for the respective product and submit detailed information, including scan reports (PDF/Word/Excel/Screenshot) triggered against a no-minified version of the scripts and steps to reproduce or evidence of the issue. Our team will review and respond accordingly. We treat Security Vulnerability reports with **highest priority** and we engage with our internal Security Champions for revisions. -> Tip: We recommend running the scan against the latest product version, as the problem may have already been resolved. +>tip We recommend running the scan against the latest product version, as the problem may have already been resolved. --- diff --git a/security/overview.md b/security/overview.md index 44d4418648..36a625371e 100644 --- a/security/overview.md +++ b/security/overview.md @@ -78,13 +78,10 @@ We closely monitor the [OWASP Top 10](https://owasp.org/www-project-top-ten/) li ## Telerik UI for Blazor Component-Specific Security Guidelines -Telerik UI for Blazor provides a variety of security-related articles for individual components. These resources outline best practices and recommendations for securing each component and mitigating potential risks. Below is a list of available security articles for specific components: +The following resources outline best practices and recommendations for securing the corresponding component and mitigating potential risks: +* [Editor - Security Guidelines]({%slug editor-overview%}#security) * [Upload - Security Guidelines]({%slug upload-overview%}#security) - - -These resources provide specific guidelines for configuring the components securely and mitigating the risks associated with their usage. - For more detailed answers to common security-related questions, please refer to our [Security FAQ page]({%slug security-faq%}). \ No newline at end of file From 9d02eaa2adbe091ec917bc74878ee35fa645a91f Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:26:43 +0200 Subject: [PATCH 03/19] Update security/faq.md Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- security/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/faq.md b/security/faq.md index 48c100d594..c01d835a03 100644 --- a/security/faq.md +++ b/security/faq.md @@ -10,7 +10,7 @@ position: 3 # Frequently Asked Questions (FAQ) -In this article, you will find essential information and resources to help you secure Telerik UI for Blazor components. Whether you need to report vulnerabilities, manage third-party dependencies, or understand how security fixes are delivered, this FAQ provides clear guidance on our security processes. Explore best practices and learn how Progress ensures the highest level of security for its products, from vulnerability reporting to compliance with industry standards. +This article provides essential information and resources to help you secure Telerik UI for Blazor components. This FAQ provides guidance on the Progress security processes, no matter if you need to report vulnerabilities, manage third-party dependencies, or understand how security fixes are delivered. Explore best practices and learn how Progress ensures the highest level of security for its products, from vulnerability reporting to compliance with industry standards. ## How can I submit a security vulnerability report? From f177f9b03c7cb6024f6b2f28a41c6f5acb16f662 Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:26:52 +0200 Subject: [PATCH 04/19] Update security/faq.md Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- security/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/faq.md b/security/faq.md index c01d835a03..9d7bbedbbf 100644 --- a/security/faq.md +++ b/security/faq.md @@ -32,7 +32,7 @@ Clients can open a support ticket through the [Technical Support Center](https:/ --- -## What is Progress's policy on handling third-party dependencies? +## What is Progress' policy on handling third-party dependencies? Progress uses leading commercial tools to automatically monitor and update third-party dependencies in our Telerik and Kendo GitHub projects. Alerts are set up for all GitHub-hosted products, and any identified vulnerable dependencies are addressed by the repository owners and our dedicated security team. From fc273c5c080efb8a19a573c6000028f5c63b9c5f Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:27:03 +0200 Subject: [PATCH 05/19] Update security/faq.md Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- security/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/faq.md b/security/faq.md index 9d7bbedbbf..6c2cf5230f 100644 --- a/security/faq.md +++ b/security/faq.md @@ -36,7 +36,7 @@ Clients can open a support ticket through the [Technical Support Center](https:/ Progress uses leading commercial tools to automatically monitor and update third-party dependencies in our Telerik and Kendo GitHub projects. Alerts are set up for all GitHub-hosted products, and any identified vulnerable dependencies are addressed by the repository owners and our dedicated security team. -Note: Our definition of "done" includes successful builds that are scanned using top security scanning tools, and the resolution of any security alerts. +Our definition of "done" includes successful builds that are scanned using top security scanning tools, and the resolution of any security alerts. --- From d21aae3b1471a8dfff442367b1f5c6120d1fd2b2 Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:27:39 +0200 Subject: [PATCH 06/19] Update security/faq.md Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- security/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/faq.md b/security/faq.md index 6c2cf5230f..50b1c9f1d5 100644 --- a/security/faq.md +++ b/security/faq.md @@ -42,7 +42,7 @@ Our definition of "done" includes successful builds that are scanned using top s ## Is security integrated into the CI pipeline? -Yes, for example, our CI builds are integrated with some of the leading security scanning tools to ensure that new code commits do not introduce vulnerabilities or insecure code. +Yes, for example, our CI builds use some of the leading security scanning tools to ensure that new code commits do not introduce vulnerabilities or insecure code. --- From 2284a2b8eef02c05ac0f288c516d6befc474a366 Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:27:55 +0200 Subject: [PATCH 07/19] Update security/faq.md Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- security/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/faq.md b/security/faq.md index 50b1c9f1d5..07553109f4 100644 --- a/security/faq.md +++ b/security/faq.md @@ -48,7 +48,7 @@ Yes, for example, our CI builds use some of the leading security scanning tools ## How does Progress prioritize security reports? -We prioritize security vulnerability reports with the highest urgency. When we receive an inquiry or vulnerability report, we begin by analyzing the issue to determine whether it's a false positive or a valid concern. If the report is confirmed as valid, we assess its severity using the CVSS (Common Vulnerability Scoring System) and promptly release a patch based on the severity level. +We prioritize security vulnerability reports with the highest urgency. When we receive an inquiry or vulnerability report, we analyze the issue to determine whether it's a false positive or a valid concern. If the report is confirmed as valid, we assess its severity using the CVSS (Common Vulnerability Scoring System) and release a patch based on the severity level. --- From 18a3860604ac9cd2386cda076d38cba095092a74 Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:28:09 +0200 Subject: [PATCH 08/19] Update security/overview.md Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- security/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/overview.md b/security/overview.md index 36a625371e..6a5c0585e1 100644 --- a/security/overview.md +++ b/security/overview.md @@ -1,7 +1,7 @@ --- title: Overview page_title: Overview -description: "Learn how to secure Telerik UI for Blazor components and your Web Forms app with best practices, vulnerability reporting, and component-specific security guidelines." +description: Learn how to secure Telerik UI for Blazor components and your Web Forms app with best practices, vulnerability reporting, and component-specific security guidelines. slug: security-overview tags: telerik, blazor, security, xss, owasp, csp published: True From 88504552cb3e7672dd47963dc628afdabc2e4297 Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:28:15 +0200 Subject: [PATCH 09/19] Update security/faq.md Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- security/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/faq.md b/security/faq.md index 07553109f4..92a1e812cb 100644 --- a/security/faq.md +++ b/security/faq.md @@ -1,7 +1,7 @@ --- title: FAQ page_title: FAQ -description: "Find answers to common questions about securing Telerik UI for Blazor components, including how to report vulnerabilities, handle third-party dependencies, and receive security fixes." +description: Find answers to common questions about securing Telerik UI for Blazor components, including how to report vulnerabilities, handle third-party dependencies, and receive security fixes. slug: security-faq tags: telerik, blazor, security published: True From 2cc8a9e1e26b60ec2e24d5f657dc1996a2154ca7 Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:28:21 +0200 Subject: [PATCH 10/19] Update security/overview.md Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- security/overview.md | 1 + 1 file changed, 1 insertion(+) diff --git a/security/overview.md b/security/overview.md index 6a5c0585e1..3c64e67223 100644 --- a/security/overview.md +++ b/security/overview.md @@ -23,6 +23,7 @@ Whether you're a customer encountering an issue or a security researcher, we hav ### For Progress Customers At Progress, we work diligently to identify and fix security vulnerabilities in our products. Customers who believe they have identified a security issue should contact Technical Support for an evaluation. This allows us to document the issue and have our engineering teams confirm and address it as needed. Customers can submit reports through our support center: + - [Technical Support](https://www.telerik.com/account/support-center) - [Contact Us](https://www.telerik.com/account/support-center/contact-us/technical-support) From 6e258d753061503391737e691dd4c36db89e4dcb Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:28:26 +0200 Subject: [PATCH 11/19] Update security/overview.md Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- security/overview.md | 1 + 1 file changed, 1 insertion(+) diff --git a/security/overview.md b/security/overview.md index 3c64e67223..4d7ba6fbf5 100644 --- a/security/overview.md +++ b/security/overview.md @@ -38,6 +38,7 @@ We value the contributions of security researchers and ethical hackers. If a res | Time to Resolution| Depends on severity | For more information, visit: + - [Bugcrowd Vulnerability Disclosure Program](https://bugcrowd.com/engagements/devtools-vdp) - [Progress Trust Center](https://www.progress.com/trust-center) - [Vulnerability Reporting Policy](https://www.progress.com/trust-center/vulnerability-reporting-policy) From 2d4115673fd37704385b2556402bb92e519cd8e5 Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:28:51 +0200 Subject: [PATCH 12/19] Update security/overview.md Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- security/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/overview.md b/security/overview.md index 4d7ba6fbf5..5654d389b3 100644 --- a/security/overview.md +++ b/security/overview.md @@ -46,7 +46,7 @@ For more information, visit: ## What We Do to Mitigate Risk -Our dedicated security team, comprised of experienced developers and security experts—our "Security Champions"—reviews all web, desktop, and mobile products technologies for potential vulnerabilities. These vulnerabilities may be internally identified, reported by third-party tools, or flagged externally. +Our dedicated security team is comprised of experienced developers and security experts—our "Security Champions". They review all web, desktop, and mobile products technologies for potential vulnerabilities. These vulnerabilities may be internally identified, reported by third-party tools, or flagged externally. We actively manage the following strategies to mitigate risks: From 569de09537456b795f8b3fd243d42720fa8948c4 Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:29:02 +0200 Subject: [PATCH 13/19] Update security/overview.md Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- security/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/overview.md b/security/overview.md index 5654d389b3..266767ea64 100644 --- a/security/overview.md +++ b/security/overview.md @@ -58,7 +58,7 @@ Our primary goal is to prevent security issues before product delivery. We use t - **Third-Party Static Analysis Testing**: We utilize some of the leading security scanning tools in the market to scan for vulnerabilities in our software code. Regular scans are conducted, and results are reviewed to address vulnerabilities and mitigate false positives. -## Third-Party Dependencies Handling +## Third-Party Dependency Handling We leverage leading commercial tools to automatically monitor and update third-party dependencies in our Telerik and Kendo GitHub projects, ensuring they remain secure and up-to-date. Alerts are enabled for all GitHub-hosted products, and the identified vulnerable dependencies are addressed by the repository code owners and security champions. From a6b277efeb7e70c91dddc81ca1a8bb85be4bf857 Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:29:17 +0200 Subject: [PATCH 14/19] Update security/overview.md Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- security/overview.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security/overview.md b/security/overview.md index 266767ea64..214de58e46 100644 --- a/security/overview.md +++ b/security/overview.md @@ -69,8 +69,7 @@ We leverage leading commercial tools to automatically monitor and update third-p Content Security Policy (CSP) is a critical security measure that helps detect and mitigate the risks of content injection vulnerabilities, such as cross-site scripting (XSS) and data injection attacks. Telerik UI for Blazor components are designed to be CSP-compliant, ensuring secure integration into customer projects. -For more detailed information on CSP compliance for Telerik UI for Blazor, refer to the following article: -- [Telerik UI for Blazor - Content Security Policy]({%slug troubleshooting-csp%}) +For more detailed information on CSP compliance, refer to the [Telerik UI for Blazor Content Security Policy]({%slug troubleshooting-csp%}) article. This resource provides guidelines on how to configure your Blazor application to comply with CSP requirements when using the Telerik UI for Blazor components. From 88a4385e56907b010303da53b135480e113a3491 Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Thu, 31 Oct 2024 13:50:07 +0200 Subject: [PATCH 15/19] Update security/faq.md --- security/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/faq.md b/security/faq.md index 92a1e812cb..b990faa0e1 100644 --- a/security/faq.md +++ b/security/faq.md @@ -64,7 +64,7 @@ Once a vulnerability is fixed, we aim to release a patched version of the produc --- -## Does Progress/Telerik have any security certifications or accreditations, such as SOC 2 or other industry-recognized standards? +## Does Progress and Telerik DevTools have any security certifications or accreditations, such as SOC 2 or other industry-recognized standards? Yes, Progress and DevTools products perform annual SOC 2 compliance, which validates our commitment to security, confidentiality, and privacy. You can find more information about our compliance on the [Progress Trust Center](https://www.progress.com/trust-center). Additionally, we align our security practices with industry-leading frameworks to maintain and continually improve our high security standards. From 5a87f91293740072ccb5b6ca97fadd9b4b56c9b1 Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Thu, 31 Oct 2024 13:54:23 +0200 Subject: [PATCH 16/19] Update security/faq.md --- security/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/faq.md b/security/faq.md index b990faa0e1..69fa889f21 100644 --- a/security/faq.md +++ b/security/faq.md @@ -26,7 +26,7 @@ We will review the report and follow up in line with our security processes, mak ## What if clients are using a third-party scanning tool and want our assessment? -Clients can open a support ticket through the [Technical Support Center](https://www.telerik.com/account/support-center) for the respective product and submit detailed information, including scan reports (PDF/Word/Excel/Screenshot) triggered against a no-minified version of the scripts and steps to reproduce or evidence of the issue. Our team will review and respond accordingly. We treat Security Vulnerability reports with **highest priority** and we engage with our internal Security Champions for revisions. +As a client, you can open a support ticket through the [Technical Support Center](https://www.telerik.com/account/support-center) for the respective product and submit detailed information, including scan reports (PDF/Word/Excel/Screenshot) triggered against a no-minified version of the scripts and steps to reproduce or evidence of the issue. Our team will review and respond accordingly. We treat Security Vulnerability reports with **highest priority** and we engage with our internal Security Champions for revisions. >tip We recommend running the scan against the latest product version, as the problem may have already been resolved. From 1b86c0ea92ad826bbb6726ae4d21d08a5319937d Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Thu, 31 Oct 2024 13:55:32 +0200 Subject: [PATCH 17/19] Update security/faq.md --- security/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/faq.md b/security/faq.md index 69fa889f21..bff3cd96c6 100644 --- a/security/faq.md +++ b/security/faq.md @@ -24,7 +24,7 @@ We will review the report and follow up in line with our security processes, mak --- -## What if clients are using a third-party scanning tool and want our assessment? +## What if I am using a third-party scanning tool and want Progress' assessment? As a client, you can open a support ticket through the [Technical Support Center](https://www.telerik.com/account/support-center) for the respective product and submit detailed information, including scan reports (PDF/Word/Excel/Screenshot) triggered against a no-minified version of the scripts and steps to reproduce or evidence of the issue. Our team will review and respond accordingly. We treat Security Vulnerability reports with **highest priority** and we engage with our internal Security Champions for revisions. From c8bcf965633fde905d51b3be70f810f28443923e Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Thu, 31 Oct 2024 14:17:59 +0200 Subject: [PATCH 18/19] Update security/faq.md --- security/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/faq.md b/security/faq.md index bff3cd96c6..79665c256f 100644 --- a/security/faq.md +++ b/security/faq.md @@ -58,7 +58,7 @@ Security fixes are typically included in the next product release. Similar to th --- -## How are customers notified about security fixes? +## How am I notified about security fixes? Once a vulnerability is fixed, we aim to release a patched version of the product. Depending on the severity of the issue, we may notify customers through CVE publications, email, blog posts, KB articles, or Release Notes for the specific product. From 9c40ce30a928227f72118ab10ec3c0de88d19bb7 Mon Sep 17 00:00:00 2001 From: Nadezhda Tacheva <73842592+ntacheva@users.noreply.github.com> Date: Thu, 31 Oct 2024 14:18:42 +0200 Subject: [PATCH 19/19] Update security/faq.md --- security/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/faq.md b/security/faq.md index 79665c256f..67e4ac9243 100644 --- a/security/faq.md +++ b/security/faq.md @@ -64,7 +64,7 @@ Once a vulnerability is fixed, we aim to release a patched version of the produc --- -## Does Progress and Telerik DevTools have any security certifications or accreditations, such as SOC 2 or other industry-recognized standards? +## Does Progress Telerik have any security certifications or accreditations, such as SOC 2 or other industry-recognized standards? Yes, Progress and DevTools products perform annual SOC 2 compliance, which validates our commitment to security, confidentiality, and privacy. You can find more information about our compliance on the [Progress Trust Center](https://www.progress.com/trust-center). Additionally, we align our security practices with industry-leading frameworks to maintain and continually improve our high security standards.