At SAS, we engineer our software to protect your data and your business. The SAS® Software Security Framework incorporates industry best practices and defines the guiding principles for our secure product development life cycle. From engineering all the way through vulnerability remediation, we are committed to ensuring that our products continually meet the business and security needs of our customers.
How We Protect You
Security issue identification and resolution – a foundation of education.
Education rests at the heart of the SAS Software Security Framework to ensure that everyone responsible for creating, testing and implementing SAS technology shares a common perspective on security. And education about security is available in many forms – from training classes and mentoring programs, to guidelines for development standards, to collaboration between development teams and IT, and beyond.
Architecture and design – a blueprint for security assurance.
Secure software begins with product design. SAS developers work with a specialized security architecture team to plan new features built on strong security architecture options. Design reviews and checkpoints help SAS engineers ensure that they are incorporating secure design concepts into SAS products. And the architectural design helps developers maintain critical security properties, as well as proactively address known security weaknesses.
Development standards, testing and validation – secure from the get-go
We adhere to strict development standards and perform a variety of testing and validation processes that include both internally developed and third-party scanning and vulnerability tools. Follow-up assessments help ensure that any vulnerabilities found are addressed before a product's release.
Product security response and remediation – continued vigilance
Our commitment to security doesn't end when a product is released. Our Product Security Incident Response Team (PSIRT) investigates possible post-release security vulnerabilities, prioritizes any identified incidents based on potential severity, and mobilizes resources to address them.