dotCMS' Top Security Achievements in 2023
Jan 09, 2024
Compliance Heavy Lift. dotCMS is now ISO27001 and TXRAMP certified. Achieving ISO27001 and TXRAMP certifications, in addition to maintaining our SOC2 compliance, positions us as one of the safest and most secure platforms in the CMS market. This accomplishment is a testament to our unwavering commitment to security excellence at scale.
CAIQ Integration and Monthly Updates: A notable enhancement to dotCMS’ security infrastructure this year has been the addition of the Consensus Assessments Initiative Questionnaire (CAIQ) to our security website. We are committed to keeping this information current, with monthly updates that reflect our ongoing security efforts and outcomes. This initiative not only demonstrates dotCMS’ dedication to transparency but also ensures that our stakeholders have up-to-date insights into our security posture. Regularly updating the CAIQ is an integral part of our security routine, allowing us to communicate our progress and maintain alignment with industry best practices.
Security Website Launch: The launch of our security website is a milestone. It serves as a resource for customers to understand their safety risks and find answers to vendor security queries. We have 3 of our compliance badges, as well as our CAIQ link there.
Code Analysis Onboarding and Deployment: dotCMS successfully onboarded and deployed a SAST tool called SonarQube to enhance our code quality and security checkups by adding it as a workflow to our CI/CD pipeline, as well as remediating the critical and high severity debts. This was a crucial step in ensuring that our development practices meet the highest industry standards flawlessly.
Social Engineering Campaign: By the end of 2022 and the beginning of 2023, we introduced KnowBe4, a platform that simulates phishes and creates some intricate social engineering pokes. With this, dotCMS was able to reduce people's risk by over 20%. This tool has been instrumental in heightening our team's awareness and resilience against social engineering threats. dotCMS will continue to use the tool for our social engineering objectives in 2024.
Policy Mechanism Creation and Automation: Our policy packet now spans over 100 pages, including detailed policies on code of conduct, acceptable use, contingency planning, and risk assessment. This not only signifies the maturity of our policy framework but also demonstrates our commitment to comprehensive security governance.
Risk Assessment Integration with Vanta: dotCMS has utilized the risk assessment capabilities of Vanta, bolstering our compliance monitoring and management processes. We will continue to use Vanta in the new year for compliance and risk mitigation objectives.
AI-Enhanced Security Questionnaires: We've streamlined our response to security and privacy questionnaires using our newly onboarded AI tool, Trustpage. dotCMS can now work at the scale of handling multiple questionnaires in parallel without compromising on the quality or depth of our responses. This advancement allows us to efficiently manage an increased volume of inquiries, ensuring that each questionnaire is addressed with the utmost precision and thoroughness in the shortest time. In 2023, we addressed 30 questionnaires.
Pentest Conductance and Remediation: dotCMS’ commitment to security has been exemplified through our proactive approach to annual pentesting, vulnerability triaging, and remediation and the exploration of automated pentesting techniques. We delved into tools like Kali Linux, evaluating how it could aid in conducting regular pentest work in-house. This exploration was a stepping stone towards understanding our pentest efficiency and effectiveness.
Quarterly Access Control Management: A key aspect of dotCMS’ security protocol has been the rigorous quarterly access control management. This routine ensures that access rights across our systems are constantly reviewed and appropriately managed, aligning with the dynamic nature of our work environment and evolving security needs. The team's dedication to this practice has been instrumental in maintaining a secure and controlled IT environment. We are committed to continuing and refining this process in 2024, ensuring that our access control routines stay effective.
Onboarding, Role Transition, and Offboarding Policies: This year, we identified and addressed a critical gap in our processes through the formulation and implementation of comprehensive policies for onboarding, role transitions, and offboarding. Led by HR, dotCMS recognizes the significant security implications of these stages in an employee's journey. We dedicated efforts to establish clear guidelines and protocols. The development of these policies was a collaborative effort, and we successfully garnered the commitment and active participation of our managers. This initiative has not only strengthened our security posture but also streamlined these critical HR processes. Training sessions were conducted to ensure all managers are well-versed in these new policies, marking a significant step forward in our organizational security and efficiency.
Business Continuity Planning Rehearsals: Our proactive approach to simulating business continuity ensures that dotCMS is prepared for any unforeseen events, safeguarding our operations and customer interests. We also did training on this for all staff and continue to do so annually.
OWASP Top 10 and Social Engineering Training: Over 10 training sessions and workshops have been conducted, enhancing our team's knowledge and skills in critical security areas.
Responsible Disclosure Program Management: dotCMS’ responsible disclosure program played a pivotal role in our security operations. We successfully addressed 10 reported vulnerabilities, prioritizing them based on their severity levels. Our team's prompt and effective response to these disclosures not only mitigated potential security risks but also demonstrated our commitment to continuously improving our security posture. This proactive approach to identifying and fixing vulnerabilities is a testament to our vigilance and dedication to maintaining a secure and trustworthy digital environment for our users and stakeholders.
3rd Party Vulnerability Management: Triaging and closing 3rd party vulnerabilities reported by tools like Dependabot and OSV reflects our robust approach to external threat management. We have continuously addressed the critical and high-severity vulnerabilities that could have dented our reputation on public fronts.
Establishment of ISMS Governance Council: A significant milestone in 2023 was the establishment of our InfoSec Management System (ISMS) Governance Council. This council plays a crucial role in overseeing and guiding our information security management practices. Its formation has been a pivotal step in aligning dotCMS security initiatives with the rigorous standards required for ISO 27001 certification. The council's annual meeting and strategic oversight have brought a structured approach to managing and enhancing our security posture from a bird’s eye view. This ensured that we adhere to international best practices in information security. The success of the ISMS Governance Council has been instrumental in maintaining ISO 27001 certification.
CNA Authorship: dotCMS is now authorized by the CVE Program as a CVE Numbering Authority (CNA), starting in 2023. The mission of the Common Vulnerabilities and Exposures (CVE) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. CVE is an international, shared effort that relies on over 260 community partners to discover vulnerabilities. The vulnerabilities are discovered, validated, prioritized then assigned and published to the CVE List. The CVE Records published in the catalog enable program stakeholders to rapidly discover and correlate vulnerability information used to protect systems against cybersecurity attacks. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue and coordinating their efforts to prioritize and address the vulnerabilities. Being a CNA member will greatly assist us in protecting dotCMS products with proactive protective measures against disclosed vulnerabilities. This is a big achievement in our security disclosure program, enabling us to mitigate the risks of discovered vulnerabilities systematically.
dotCMS is a content management system that helps global enterprises with sophisticated content requirements create, manage and deliver content anywhere. The dotCMS platform is best suited for organizations across industries who manage multiple brands, websites, workflows and content types across multiple languages, and need a platform that is secure and scalable for a development team to work with, but also has intuitive editing tools for content and marketing teams to manage their mission-critical content.
Brands such as Dairy Queen, Newell, Greensky, Chewy and Comcast have chosen dotCMS as their primary platform to scale their content operations and empower their marketing teams so they can reduce developer dependency, enabling teams to go-to-market faster, without sacrificing the flexibility and security of their CMS.