Product Security

We understand that our products are used by Customers who build products to keep us safe and healthy as well keep the world running. From assets in a power plant to medical equipment in hospitals, Customers rely on our products and services to help them manage and service their, and their own Customers’ assets. It is, therefore, imperative for us to ensure we are addressing Security, Compliance and Privacy throughout our product development lifecycle. At the same time, we are making sure that once the product is made available, it is sufficiently resilient to unforeseen disruptions, whether operational in nature or due to a Security incident.

Secure [System and Software] Development Lifecycle (SDL)

ServiceMax has adopted an SDL framework that supports agile methodologies without adding significant friction. The SDL establishes a framework and sets guidelines for product and non-product Engineering teams within ServiceMax. As a cloud based Software as a Service (SaaS) organization, delivering product releases in a timely fashion is critical to the success of our business. However, given the societal impact of how our Customers utilize our products, we must balance speed with Security, and more importantly, Safety. From an organizational perspective, the SDL establishes direction for product safety, quality and reliability, with the goal of reducing security risk exposure for ServiceMax and its customers. 


With decades of experience in application security, ServiceMax does not believe in complexity and adding significant friction to existing development practices and build pipelines. We are leveraging industry accepted secure development practices and have built an SDL framework that is easy to follow and which Developers and Engineers in the SaaS industry are familiar with.

Continuous Risk Assessment

Although these phases are not meant to act as a gating mechanism, since we do not believe in such an approach, they are rather logical segmentation of critical aspects of what composes the SDL. The following are just some of the more critical aspects or functions of the SDL supported by one or more of the phases above.

Developer Security Training – Ongoing courses provided to developers in order to improve their understanding of techniques for identifying and mitigating security vulnerabilities. Training will focus on topics including threat modeling, DAST testing, and coding techniques to prevent common defects such as SQL injection.

Design/Architecture Review – A collaborative effort between the Development/Engineering teams and Cyber Security to assess and develop application or service design patterns that mitigate risk to the platform and associated applications and services. Both Security and Privacy factors into the overall design of our products.

Threat Modeling – A structured approach for analyzing the security of an application, with special consideration for boundaries between logical system components, which often communicate across one or more networks.

Security User Stories / Security Requirements – A description of functional and non-functional attributes of a software product and its environment which must be in place to prevent security vulnerabilities and mitigate against factors that threaten Privacy. Security user stories are written in the style of a functional user story, as it would be entered into an Agile-oriented tool like Jira.

Automated Dynamic Application Security Testing (DAST) – A process of testing an application or software product in an operating state, implemented by a web application security scanner.

Automated Static Application Security Testing (SAST) – A process of testing an application or software product in a non-operating state, analyzing the source code for common security vulnerabilities.

Open Source Software Security Testing (OSS) – A process of testing an application or software product for opensource security vulnerabilities. 

Penetration Testing  – Hands-on security testing of a runtime system. This sort of testing uncovers more complex security flaws that may not be caught by DAST or SAST tools.

Continuous Risk Assessment  – A means to identify and manage risk during the system build or product development lifecycle.