Learn more about how Perforce approaches data security for its customers.

A core guiding factor in everything that we do is to ensure that our security is robust and included at the beginning of design. This shapes not only how we protect the security and privacy of our systems, networks, services, and data, but that of our customers as well.

To ensure that security is enforced, we operate under several guiding principles to ensure that we effectively address security and privacy.

LATEST PERFORCE SECURITY UPDATE
Log4j Status

Least Privilege

People accessing systems, networks, data, and services have the access they need to do their job and no more. If you don’t need access, you don’t get it. This concept is a core architectural design principle in everything that we do.

Standardize and Consolidate

Standardizing the use of specific technologies and tools means we have fewer integrations and lower complexity, but also allows us to develop significant intellectual property with them – allowing us to use them most effectively.

Know What You Have

Information security starts with knowing what devices, systems, software, and services you have, along with their current configurations. This asset management is foundational to our day-to-day work.

Risk-Based Decision Making

A good understanding of the threat landscape within which an organization operates — as well as understanding regulations and requirements — allows that organization to appropriately prioritize spending, time, and remediation efforts. All technology decisions at Perforce are made with risks in mind – often pre-emptively troubleshooting issues before they materialize.

icon-helix-core-benefits

Security Testing and Auditing

A key aspect of our regulatory and compliance obligations is continuously conducting audits and tests. In addition, on an annual basis, we run penetration tests of our SaaS solutions and our installed “On-Prem” applications. The goal of this is primarily to ensure that our controls and program are operating as designed.

Our Security Program Overview

Application Security

Perforce develops software that can be accessed via the internet (Software-as-a-Service – SaaS) or that can be directly installed on systems owned by our customers (commonly called on-prem installed software).

A central part of what we do is ensure that our applications are free from defects and are securely designed. All our developed code undergoes robust static analysis and is scanned regularly for vulnerabilities. We keep our development environments separate from our production environments, and tightly control who can access our systems and codebases.

In addition, our applications are regularly tested by third parties to ensure that they do not have vulnerabilities and that they are operating as designed and expected.

Cloud Providers and Data Centers

In general, Perforce Software SaaS tools are hosted at Amazon, Google, and Microsoft datacenters, running on Amazon Web Service, Google Cloud Platform, and Microsoft Azure Cloud services.

These data centers, which are located in the United States and the European Union, provide robust physical security in addition to state-of-the-art fire suppression, redundant power and HVAC, and biometric access controls with stringent least privilege restrictions. Where data centers are employed to host physical equipment, potent tier 3 (or higher) colocation facilities are employed that provide similarly secure protections.

System Security

Perforce regularly replaces their virtual systems with new, patched ones, and works to maintain system consistency using a combination of configuration management, up-to-date images, and continuous deployment. We are constantly working to update our systems to protect your data.

Authentication and Authorization

A centrally managed and administered single sign-on solution (SSO) and a multi-factor authentication (MFA) are used wherever possible to authenticate Perforce employees. In addition, Role-Based Access Controls (RBAC) have been implemented to grant users authorization to access resources only when appropriate for their business needs (and no more than what is necessary) based upon their role.

Data Security

By design, Perforce collects the necessary data for us to effectively do business. Our tools enable customers to store their important data. Therefore, we take the necessary steps to ensure that data is protected when travelling across networks (encrypted with TLS 1.2 or better), when stored (encrypted databases), and ensure that our customers’ data is stored in the fewest number of locations necessary. When not needed anymore, the data is securely deleted.

Network Security

Our network infrastructure is used to monitor and control traffic to ensure that only authorized connections are allowed. When traversing outside and accessing public networks, data is encrypted with industry-accepted encryption mechanisms to prevent eavesdroppers from accessing the data.

Remote Work

When accessing Perforce networks, systems, and services from outside our offices, robust authentication and encryption mechanisms that leverage industry-leading VPN and authentication technologies are used to ensure that security is maintained.

Logging and Alerting

A critical component to Perforce infrastructure is logging, and we’re monitoring our environments to identify any misuse or problems. Logging is used extensively for application troubleshooting and investigating issues, as well as ensuring that everything is functioning as expected. Logs are streamed in real­time and over secure channels to a centralized logging and monitoring service.

Incident Response and Disaster Recovery

At the core of our resilience to the unexpected is having a plan, practicing it, and keeping it up to date. Our first step to prepare for the unexpected is to build our systems and applications with a reasonable level of resiliency. If something does happen, we have a comprehensive communication process to ensure that we are able to recover quickly, securely, and accurately. At the core of this process is ensuring that our people and our customers are safe, before moving on to effectively restore services.

How We Handle Security Regulations and Compliance

 

SOC2 Type2

SOC2 Type2

Perforce undergoes a SOC 2 Type 2 examination of our security controls against the AICPA defined standards on an annual basis with a third-party audit firm to ensure the security of our platform and its supporting infrastructure. As of the most recent examination, a number of Perforce products are SOC 2 Type 2 compliant.

 

Privacy-Related Data Mapping and Protections:
Perforce is committed to ensuring ongoing compliance with privacy-related date mapping guidelines, including:

 

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

The GDPR extends the reach of the European Union’s data protection laws and establishes many new requirements for organizations that fall under its scope.

 

California Consumer Privacy Act (CCPA)

California Consumer Privacy Act (CCPA)

The CCPA is a state law that provides consumer privacy rights and protections for residents of the state of California.

 

 

How We Handle Security and Compliance Requests

GDPR Data Subject Request

A key aspect of the General Data Protection Regulation (GDPR) is the ability for people to make requests about how their data is stored, ask to be forgotten, or retrieve a copy of identifiable data related to them.

Perforce does not collect this information about our customers or our customers’ customers; however, on occasion, this data is necessary for business. If someone wanted to make a GDPR-related personal data request, contact us via email.

Perforce Vulnerability Reporting and Coordinated Disclosure Policy

Perforce supports coordinated disclosure of security vulnerabilities and welcomes reports from security researchers on issues found in Perforce products, and Perforce distributed packages or infrastructure.

Out-of-Scope:

  • Software version or banner disclosures
  • Directory traversal on yum, apt, or downloads where traversal is explicitly desired
  • Self-XSS or CSRF on unauthenticated web forms (including logout CSRF)
  • Disclosure or discovery of known public files or directories (for example, robots.txt, simple DNS enumeration)
  • Brute force attempts (for example, log-in and forgot password pages don't have lockouts)
  • Account enumeration (for example, enumerating login or reset fields for valid accounts without lockouts)
  • Email spoofing possibilities. Suggesting turning on SPF, DMARC, or DKIM isn't welcome, though specific issues with those configurations are.

To report a vulnerability contact the Perforce security team at [email protected].

We credit security researchers based on the value of the contributions they provide. The Perforce Security team reviews each disclosure and assigns a scored value based on the relevance of the disclosure. These scores are calculated quarterly, and the top-scoring individuals are publicly credited on our website. Additional credit will be awarded to individuals who provide code fixes or additional information about how to fix the vulnerability.

Thank you for supporting Perforce's coordinated disclosure process!

Led by CISO Christopher Gerg

As the guide for the ongoing maturation of the information security program, Christopher Gerg is the Chief Information Security Officer (CISO) at Perforce Software. With a technical foundation, Christopher approaches managing an information security program through a foundation of practical, actionable approaches to protecting the confidentiality, integrity, and availability of systems, networks, services, and data.

Christopher’s experience ranges from network engineering to executive leadership roles — including CTO and CISO — with highly regulated industries, which includes healthcare, government, defense, and payment/finance.

With a “Secure by Design and Compliant by Default” approach, Christopher and his team guides the diverse Perforce product lines through their compliance and regulatory obligations. This work is performed with the help of designated liaisons each time, acting as subject matter experts and points of contact to provide tactical support.

Chris Gerg, CISO

Security & Compliance Current Events

Here at Perforce, we are dedicated to keeping up-to-date on security and compliance events that can impact our products and — especially — our customers. 

In response to the Log4Shell vulnerabilities, Perforce has examined the source code of all our product lines to ensure that none have the vulnerable Log4j open-source library.

We also have ensured that the infrastructure and backend environments that support our teams and services have been patched — where necessary — to address the remote code execution issue introduced by the faulty library.

Furthermore, Perforce took an aggressive approach to identifying potentially affected systems and remediating them immediately.

More on Log4J >>

Contact Us

Contact us to get your Perforce security and compliance questions answered.

Contact Us