Security at Ping Identity

A message from our CISO

Ping Identity is a security company. As a security company, we know that the expectations are great and the stakes are high. Job one for security at Ping Identity is creating products and services that are secure, resilient and assured. Second is ensuring that Ping Identity’s business operations are secure and communicated. This starts by investing in the right people, processes and technologies, but it also requires a culture of security that permeates the entire organization. Every employee of Ping Identity understands the importance of our mission, and their role in fulfilling it.

 

To provide customers with assurance of our program, we’ve modeled our Information Security Management System (ISMS) on industry best practices and frameworks such as ISO 27001 and NIST 800-53. We provide assurance of the effectiveness of our security practices through independent third-party testing of both our products and our control framework while continuously improving our ISMS as we pursue ISO 27001 and FedRAMP certification.

 

Thank you for taking the time to investigate our security program. Please reach out if you have any questions about the security of Ping Identity’s solutions or corporate practices. If you’d like to dig into the details, see our Security and Operational Practices.

 

Robb Reck

CISO, Ping Identity

Responsible disclosure

Ping Identity has created a responsible disclosure program as one avenue for identifying and remediating vulnerabilities within our products. If you’re a security researcher and have discovered a security vulnerability in any of our solutions, we appreciate your help in disclosing it to us privately and giving us an opportunity to address it before publishing technical details. We will validate, respond and address vulnerabilities in support of our commitment to security and privacy.

 

Reporting

Share the details of any suspected vulnerabilities with Ping Identity’s Information Security Team by filing a support case. Please don’t publicly disclose these details outside of this process without explicit permission. In reporting any suspected vulnerabilities, please include the following:

  • Product name and version

  • Vulnerable URL: the endpoint where the vulnerability occurs

  • Vulnerable Parameter: if applicable, the parameter where the vulnerability occurs

  • Vulnerability Type: the type of the vulnerability

  • Steps to Reproduce: step-by-step information on how to reproduce the issue

  • Screenshots or video: a demonstration of the attack

  • Attack scenario: an example attack scenario may help demonstrate the risk and get your issue resolved faster

  • Log files

Our Commitment

If you identify a verified security vulnerability in compliance with this responsible disclosure program, Ping Identity commits to:

  • Establish a remediation timeline with a definite end date.

  • Disclose the vulnerability through our support page to best protect our customers (if in our customers’ best interest).

Certifications & Affiliations

Information Systems Security Association, Denver Chapter

The Information Systems Security Association (ISSA) is an international not-for-profit organization of information security professionals and practitioners. It provides education forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members.

 

ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure. The Denver chapter has been recognized as the largest chapter in the world with over 500 members to date.  The Denver chapter president is Ping Identity’s own Chief Information Security Officer, Robb Reck, and numerous Ping employees are active members. Visit www.denver.issa.org to learn more.


Cloud Security Alliance STAR Registry

The CSA Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.

 

CSA STAR is open to all cloud providers, and allows them to submit self-assessment reports that document compliance to CSA-published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.

 

Please visit Ping Identity’s member site for access to our CAI questionnaire.


FBI InfraGard

InfraGard members have access to an FBI secure communications network featuring an encrypted website, web mail, listservs and message boards. The website plays an integral part in the FBI’s information-sharing efforts to disseminate threat alerts and advisories, as well as to send out intelligence products from the bureau and other agencies.

 

There are 85 InfraGard chapters with a total of more than 35,000 members who work with the FBI through field offices to ward off attacks against critical infrastructure that can come in the form of computer intrusions, physical security breaches or other methods. These members represent state, local and tribal law enforcement, academia, other government agencies, communities and private industry. Ping Identity employees are affiliated with the InfraGard Denver Members Alliance (IDMA).


OWASP Member

The Open Web Application Security Project (OWASP) is a non-profit organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.

 

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate and maintain applications that can be trusted. All of the OWASP tools, documents, forums and chapters are free and open to anyone interested in improving application security. They advocate approaching application security as a people, process and technology problem because the most effective approaches to application security include improvements in all of these areas. Visit www.owasp.org to learn more.

 

Security at Ping Identity