Version 2020

MicroStrategy Security Assurance Program

To view a PDF version of only this page, click here.

MicroStrategy has a comprehensive security program focused on protecting your data, regardless of whether our product is deployed via our Cloud Managed Service offering or on premises. From engineering through vulnerability remediation, we are committed to ensuring that our products continually meet your business and security needs.

Certifications

  • ISO 27001 Certified for MicroStrategy Cloud Environment
  • SOC2 Type II Audit for MicroStrategy Cloud Environment
  • Privacy Shield Compliant
  • PCI DSS Compliant Cloud Platform
  • MicroStrategy fully-managed HIPAA Compliant Cloud solution
  • Corporate Financial System SOX Compliant
  • Product Country of Origin: United States

Personal Security

  • Background checks performed on all employees
  • Educational credentials validated
  • Financial/credit history checked
  • Criminal background checked

Security Training and Certifications for Employee

  • Security principles
  • Threat modeling
  • Web security and penetration testing
  • Mobile security

Security Design Process

  • Threat Modeling based on STRIDE and other internally developed models
  • Application of security principles (e.g., “Defense in Depth”)
  • Consideration of OWASP 10 vulnerabilities
  • Design review by dedicated Security Engineering Team

Embedded Security Features

  • User Authentication
    • LDAP/AD
    • Standard (User Name/Password)
    • Kerberos
    • SAML
    • SSO
  • HTTPS/TLS protection for data in transit
  • AES 256-bit encryption for data at rest
  • Role based access control
  • Row-level security
  • CSRF, clickjacking, and HTML Output Encoding (for XSS prevention)

Secure Development

  • Secure Coding Standards for all languages used
  • Multiple-level code review
  • Source-code static analysis using the CheckMarx scanning tool
  • Binary scanning of the compiled code utilizing the Veracode binary scanner
  • Manual penetration testing

Third-Party Component Control

The use of third-party components is closely controlled. A formal process is enforced for the introduction of new components into the products. Independent confirmation of third-party components incorporated into the products is conducted via the Synopsys Black Duck tool. Components possessing security vulnerabilities are aggressively scheduled for upgrade or replacement.

Internal Security Testing

Throughout the development cycle, MicroStrategy conducts internal penetration tests to validate the security of new or modified features and to re-validate the security of the existing product suite to new threats. Such testing includes the risks identified in the OWASP-10 and other known weaknesses. Threat models developed during the product design provide additional guidance for this testing.

Independent Penetration Testing

We engage multiple security firms to conduct annual, penetration tests. Tests are comprehensive in scope and utilizes both black-box testing techniques as well as white-box testing which includes full access to the product source code. Issues identified during this testing are immediately scheduled for resolution in the product on a risk-prioritized basis. Subsequent re-testing is then conducted by the security firm(s) to verify that the issues have been successfully resolved.

Secure Release

A centralized code repository (GitHub Enterprise) is maintained for development. Repository check-ins undergo area-specific code review procedures. The building process is controlled by the DevOps team. All machines developing the product employ an enterprise-grade virus scanner updated with the latest signatures.

Security Patches and Upgrades

Security is of the utmost importance at MicroStrategy. Vulnerabilities are treated as top priority issues and fixed in the next release. Therefore, keeping your software up to date is one of the simplest, but most important security precautions you can take to maintain your MicroStrategy product’s security. In the event of a critical security issue outside of the regular update cycle, MicroStrategy may issue an interim patch or workaround, but upgrading will still be required to keep your deployments as secure as possible.

Reporting a Security Issue

Current MicroStrategy customers may report potential security issues and queries via MicroStrategy Technical Support. Researchers may submit issues via our reporting page.

For more information, please contact your account representative.