Application security begins with building secure applications. Medallia follows a secure software development process, beginning with design reviews, threat modeling, and risk assessment. Our agile Kanban-based software development methodology includes security control touchpoints built into the software development lifecycle (SDLC). Each phase of our SDLC has clear quality and security exit criteria, ensuring that potential problems are identified and resolved as early as possible.
Our Engineering and Product Security teams conduct extensive development and post-development testing to be certain our applications are secure. This includes static code analysis and manual penetration testing. All deployed software undergoes a post-deployment vulnerability scan.
Finally, we have an extensive Security Champions program. Development teams have one or more representatives that take part in an intensive 6-month certified security training program. This ensures that secure development scales as we scale and is part of the DNA and culture of how we build our applications.
Medallia’s release frequency includes 4 major releases and 8 minor releases a year. We have designed our solution in a way that allows us to seamlessly roll out upgrades, new releases, and security patches/fixes without disrupting the client's’ unique configurations:
Changes to the system are either “auto-on” or “configurable.”
Auto-on changes do not require servicing configuration.
Major auto-on enhancements (noticeable changes, such as new functionality or UI upgrades) are communicated at least one month in advance of the upgrade and include guided product tours.
“Configurable” changes are new features that can be controlled by a user or user group. For configurable changes your services team actively engages with your administrator and key users to review the feature, determine the path for access, and eventually roll out.
Should a zero-day patch be released, Medallia will update the base image and push it out immediately.
Medallia’s Systems Operations Standard ensures that we follow documented procedures for acquiring, configuring, deploying, monitoring, hardening, maintaining, and decommissioning our infrastructure hardware. Our dedicated Security Operations team performs 24x7 security monitoring using industry-leading tools to make sure customer data and your assets are always being protected from cyber threats.
Medallia and customer assets are monitored by Site Reliability Engineering and the Trust and Assurance Group (TAG); all relevant user activities, system exceptions and security events are logged and stored locally and in a centralized log management system to prevent tampering. Privileged access is also monitored using a centralized log management solution. Access to logging facilities and log information is restricted to authorized personnel only. System administrator actions are logged and reviewed by Medallia’s Trust and Assurance Group as part of risk assessments or as otherwise necessary.
Medallia has different types of audit trails available to customers: a change log, user activity, and user login information.
The Change Log lists the changes made in Medallia Experience Cloud, such as created, modified, and deleted entities.
User activity tracks various data points about a single user’s session. These records include information such as the activity type, the role in which the activity was performed, page and action details, the number of times the activity was performed, and which modules the activity was performed on.
User login information is simply different security events deriving from Medallia’s User Management capability such as attempted and failed login/SSO attempts, admin use, and password rotation information (if username/password is used).
Outside of the logs available to customers listed above, Medallia also maintains various internal only logs that all route to an internal SIEM tool that detects anomalous activity. These logs include but are not limited to:
Medallia regularly tests its network and application for vulnerabilities to ensure the reliability and security of our infrastructure. Our vulnerability management process includes regular and ad hoc vulnerability scanning. We monitor for vulnerabilities listed in the Common Vulnerabilities and Exposures (CVE) database of known vulnerabilities. We pay particular attention to the current threat landscape and frequently test for threats on the OWASP Top 10 list, such as input validation, XSS and various injection attacks. Any vulnerabilities identified as part of this process are analyzed and remediated in accordance with our Vulnerability Management Standard.
We also perform both internal and external penetration tests, both internally and through partnerships with independent expert 3rd-party security firms, including full external penetration tests. These tests include a combination of manual and automated assessments to ensure comprehensive coverage. Any vulnerability discovered is prioritized and remediated based on risk. We validate the remediation approach and, after remediation, we repeat the vulnerability testing in order to ensure that the remediation was successful.
Additionally, we perform weekly vulnerability assessments using tool-based scanners. All identified vulnerabilities, including client-side vulnerabilities are remediated in accordance with our Vulnerability Management Standard.
We have a robust vulnerability management program, based on SLAs and designed for effective and efficient remediation of issues.
Medallia uses a structured release and change management process to provision systems and update application software. Impact assessments must be performed and documented before change requests are approved. Changes are documented, scheduled, reviewed, tested and released regularly in accordance with our Change Management Plan. The process applies to off-the-shelf products, internally-developed systems, and externally developed applications and/or systems. Whenever possible, changes are scheduled far enough in advance to allow time to notify any clients’ whose service may be affected by the change.
Medallia may use up to 36 hours per year of scheduled downtime for system maintenance and upgrades. Medallia will provide no less than 14 days notice prior to scheduled downtime, except for emergency updates.
The Change Management Plan also applies to emergency or unscheduled changes. These changes require high-level approval. Testing may be reduced or foregone, and documentation may be deferred, typically, until the next business day. All emergency changes are monitored and audited for potential risks after deployment. Clients are notified of emergency changes as necessary.
Medallia reviews the proper execution of our IT change management process on at least a quarterly basis.