Synology Secure Development Lifecycle

The modern cyber threat landscape demands that security and privacy be actively considered at every stage of a product’s life. Discover how Synology is incorporating security and end-user privacy into every product, from planning and development through release and support.

Watch Video

Securing the development pipeline

Planning and design

Products are designed following well-defined security and privacy requirements, using detailed threat modeling to prioritize risks and assets, and with data paths carefully mapped for review and analysis. Component architectures then are carefully reviewed to help create robust, performant designs that will require minimal levels of maintenance and offer long-term value.

Implementation and verification

Developers follow Synology’s standards for secure coding to create software components in accordance with the security models they’ve designed. Imported open-source modules are pre-verified, and the toolchains Synology’s developers use are kept patched with the latest security updates. Static Application Security Testing (SAST) is performed on internal software builds during implementation to assure that developers’ completed code avoids common security flaws. When release candidates are ready, Dynamic Application Security Testing (DAST) is used to help confirm that code is ready for production environments. Automated vulnerability scanning is also employed, and Synology conducts penetration testing as a standard method for final verification.

Release

Completed products are distributed following a staged release, thereby mitigating risk in case a zero-day exploit is discovered shortly after launch. As an added security measure, Synology signs all DiskStation Manager packages and updates using encryption keys secured with hardware security modules.

Response

The Synology Product Security Incident Response Team (PSIRT) proactively manages the receipt, investigation, coordination, and reporting of vulnerability information related to products. PSIRT maintains a less than 24-hour turnaround response time for responding to zero-day exploits, and publishes vulnerability alerts via the Synology Product Security Advisory.

Synology Secure Development Lifecycle porcess

Synology’s ongoing commitment to security

Dedicated security teams

At Synology, PSIRT takes full ownership of coordinating and enacting product security responses. With a comprehensive four-step process, PSIRT assures responsive communication, remediation, speed, and transparency with all relevant stakeholders.

Fast security incident response

Synology is committed to comprehensive remediation delivered at an industry-leading pace. For zero-day exploits, we make our initial severity assessment within the first 8 hours, with our target time to release a fix within the next 15 hours.

Stakeholder transparency

As a MITRE CVE Numbering Authority, Synology is able to safely work with third-party security researchers to discover and fix previously unknown security exploits while maintaining transparency and trust with stakeholders.

Engaging the infosec community

Synology works closely with the information security community to enhance the safety of our products. Whether through our Security Bug Bounty Program, our role as a multi-year sponsor of Pwn2Own, or through our other engagement efforts, we proudly reward the efforts of diligent security experts who partner with us.

More about Synology’s approach to security

Get started

Report security bugs or submit security-related questions.

Contact us