Skip to main content

Product Security (Secure Development)

As a software supplier to many of the world’s largest and most security-savvy organizations, Splunk has high standards and high expectations to meet when it comes to product security. To meet and exceed those standards, Splunk follows a rigorous, industry best practice approach to secure software development. Through a continuous process of security testing and review, and the addition of pro-security features and functionality, Splunk endeavors to provide software faster and safer whether to our Cloud or customer premises.

Security by Design

The best way to prevent security defects is by designing a product securely from the ground up. Splunk Product Security engages with development teams during the design and planning stages of the development lifecycle to make recommendations and push teams towards secure design patterns. Activities performed at these stages include:

  • Threat modeling
  • Identifying applicable security standards
  • Setting security requirements

Security Assurance

Once functional and security requirements are established, we perform a manual and automated validation activities designed to secure our products, including such things as:

  • Static application security testing (SAST)
  • Dynamic application security testing
  • Open source software security scanning
  • Internal whitebox penetration testing
  • Third-party whitebox penetration testing
  • Vulnerability scanning

Security Standards and Programs

Splunk aligns to industry-standard frameworks and leverages additional security validation, as appropriate, including such things as:

  • CVSS, CWE and OWASP Top 10 for vulnerability tracking
  • Secure software development lifecycle based on Microsoft SDL
  • Bug bounty programs
  • Product Security Incident Response Team (PSIRT) services framework

Responsible Disclosure Standards

Splunk follows industry best practices to discover and remediate vulnerabilities before release, and post-release addresses vulnerabilities reported by third parties using a risk based approach, which may include the following activities:

  • Promptly evaluating potential security vulnerabilities (within two business days of discovery)
  • Rating and prioritizing confirmed vulnerabilities using CVSS
  • Assigning CVEs to confirmed security vulnerabilities
  • Making reasonable efforts to issue releases to mitigate or fix vulnerabilities in supported versions
  • Issuing major and minor releases incorporating cumulative vulnerability fixes
  • Expediting maintenance releases for affected, supported versions for critical-risk, high-impact vulnerabilities
  • Notifying customers of vulnerabilities at the Splunk Product Security page and through the Splunk Product Security Announcements RSS feed

Additional Resources

The Splunk Customer Trust Portal provides you with easy, on-demand access to documentation about Splunk’s global privacy, security, and compliance programs, including certifications, compliance reports, standard security questionnaires and white papers.