Synology maintains a Software Bill of Materials (SBOM) for each product as part of a broader Software Supply Chain Risk Management (SSCRM) strategy. Product SBOMs account for all open source and proprietary components, enabling comprehensive license review and improved compliance for sensitive industries. Synology uses an automated process to maintain SBOMs, ensuring information is accurate and up to date, and SBOMs are made available to relevant stakeholders and customers as needed. Synology’s product SBOMs enable fast vulnerability risk assessment and response when vulnerabilities are identified. This is made possible through integration with the MITRE CVE database and the United States’ CISA KEV catalog.
Synology's SSCRM strategy employs Software Composition Analysis (SCA) as a critical step for every product's development. SCA helps prevent the inclusion of malicious or insecure code in product releases, and it enables license compliance assurance for Synology and down-stream partners. With SCA, Synology identifies and is able to mitigate risks early in the development stage. SCA further offers valuable insights into a codebase's relative quality for any given component, enabling improved vendor management smarter component inclusion.
Synology’s partner upstream in the supply chain help us deliver excellent products and services to our customers, that’s why Synology believes in working with suppliers to implement security-first design standards, to develop and maintain transparency, and to proactively improve response ability and speed. Synology identifies high quality supply chain partners, seeking lasting and extended business partnerships as a long-term supply chain strategy.
Synology’s internal infrastructure and response teams work collaboratively to improve organizational resilience, and to mitigate and respond to cyber threats. Through endpoint protection, zero-trust access, and centralized management of security updates, Synology's teams work proactively to protect infrastructure and assets. Synology’s infrastructure team further monitors network traffic, reducing the risk of cyber threats, and all of Synology’s security teams are involved in establishing ongoing security guidelines for the entire company.
Developers follow Synology’s internally-published standards for secure coding when developing products. All code undergoes review, and every component submitted is confirmed by project architects. Code signing is used at relevant development points, reducing potential threat vectors. Importantly, Synology also follows standard Secure Development Lifecycle (SDLC) practices for each product, assuring quality, security, and maintainability in every release.
Report security bugs or submit security-related questions.
