We at Telerik realize how important security is for you and the users of your app. This is why our team approaches security as a fundamental component of the Telerik Platform. Telerik takes extensive measures to protect our customers from threats by applying security controls across all layers of our solutions.
In addition the Telerik mobile application development platform now comes with an additional protection of an SLA, guaranteeing a strong percentage of up-time during any given month of the year. For more information about the SLA please contact us firstname.lastname@example.org.
Architecture and Infrastructure Security
The Telerik Platform architecture consists of multiple servers providing a variety of services, consumed either by client users or internally between services themselves. In such a configuration, there are two main security aspects: infrastructure (network) security and application (service) level security.
The infrastructure security defines the isolation of logical groups (zones) of servers and services on the communication transport layer. Roughly speaking, the security on this layer is applied through TCP/IP routing and firewalls. The actual implementation depends on the underlying virtualization framework. All communications outside the cloud are proxied
through hardware or software load balancer/router and SSL termination appliance.
Application Level Security
Application-level security typically consists of two phases: authentication and authorization.
Authentication is the phase of determining the identity of a user. Telerik Platform solution integrates with thirdparty identity providers, such as Active Directory or social networks (Facebook, Google, Yahoo and LiveID). For social networks integration, Telerik Platform solution uses OAuth 2.0 protocol, while for Active Directory, ADFS (active directory federated services) is required.
Authorization is the phase in which an identified user is permitted or denied to perform a certain action or access a resource, based on the permissions set for that user. Typically there are predefined roles such as Administrators, Contributors, Visitors and so on, and user actions are allowed or denied based on the user’s membership. Authorization rules are specific to every service and are enforced per service individually.
Application data storage
Telerik Platform local data storage framework implements a provider model, allowing custom providers to be created for any local data store. Out of the box, the Telerik Platform ships with a provider for SQLite, using the platform native implementation when available (such as on iOS). Telerik also supports SQLCipher for the default local data storage implementations, giving developers a familiar option for local encrypted storage.
Data transport security
The entire Telerik Platform encrypts all communications using 128-bit SSL protocol, including service calls made between customer apps and Telerik Platform services. Additionally, to ensure privacy protection and data
security, Telerik Platform supports single sign-on (SSO) using Windows Authentication integration (ADFS) and Oauth (with out-of-the-box support for many identity providers, like Google, Facebook, Yahoo and LiveID). These capabilities can also be embedded in customer applications to help ensure that only authenticated users are able to access and interact with highly confidential enterprise
Dedicated Customer Database
Telerik Platform Enterprise customers also have the option of separating their database instance from the rest within the same
database server cluster. This practice provides an additional layer of protection against breaches resulting from shared database usage in the public cloud. Additionally, it provides improved reliability and performance.
The Physical Security of your data
Security includes on-site 24/7 staff, alarm system, card key access, CCTV archived video and other state-of-the-art security measures. With fully redundant power supplies, multiple backup generators, hosts of Tier 1 Internet providers, and laser-based early smoke detection, the facility has been fitted out to maximize safety and contingency planning.
Telerik complies with the following standards:
OWASP Top 10
The OWASP Top 10 represents a broad consensus on the most critical web application security flaws. The errors on this list occur frequently in web applications, and are both easy to find and exploit. To prevent such flaws in our solutions, the OWASP Top 10 are considered during design, development and deployment of Telerik Platform.
The 2011 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant errors that can lead to serious software vulnerabilities. The errors on this list occur frequently, and are often easy to find and easy to exploit. This list is considered during development and peer review process to maximize the security of our offerings.
Veracode Level 4 Rating
The Veracode Level (VL) achieved by an application is determined by type of testing performed on the application, and the severity and types of flaws detected. A minimum security score is also required for each level. Veracode conducts periodic audits of the Telerik Platform solution using automated static, automated dynamic and/or manual security analysis techniques to identify security flaws identified in the application.
Safe Harbor Certification
In light of the international nature of our business, Telerik privacy practices are self-certified to the Safe Harbor Program codified by the U.S. Department of Commerce and the European Commission. Telerik complies with the US-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information from European Union member countries and Switzerland. Telerik has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access