All docs
V21.1
21.2 (EAP/Beta)
21.1
20.2
The page you are viewing does not exist in version 20.2. This link will take you to the root page.
20.1
The page you are viewing does not exist in version 20.1. This link will take you to the root page.
19.2
The page you are viewing does not exist in version 19.2. This link will take you to the root page.
19.1
The page you are viewing does not exist in version 19.1. This link will take you to the root page.
18.2
The page you are viewing does not exist in version 18.2. This link will take you to the root page.
18.1
The page you are viewing does not exist in version 18.1. This link will take you to the root page.
17.2
The page you are viewing does not exist in version 17.2. This link will take you to the root page.

Security - What You Need to Know

  • 4 minutes to read

This article addresses a series of frequently asked security-related questions and documents the processes we have established to mitigate security-related risk. It also includes links to Best Practice articles for various development platforms and products.

What We Do to Mitigate Risk

A team of developers – the DevExpress Security Guild – reviews all DevExpress technologies, new DevExpress solutions, and existing DevExpress products for security-related vulnerabilities The Security Guild updates each product team regarding potential vulnerabilities and manages the on-going implementation of the following security-related testing strategies:

Prevention

Our primary goal is to isolate and address security-related issues before product delivery. We use the following prevention techniques to meet this objective:

Internal Registry of “Vulnerable” APIs

We maintain our own “vulnerable” API registry. This registry helps us locate and review questionable API calls and to mitigate potential security issues prior to official release. Our internal Security Guild tracks “vulnerable” C# API calls with assistance from the DevExpress IDE Productivity Team (developers of CodeRush and experts in code parsing techniques).

This prevention technique is used in the following products (v19.2 and later):

  • DevExpress WinForms Subscription
  • DevExpress ASP.NET Subscription
  • DevExpress WPF Subscription
  • UWP (Windows 10 Apps) Subscription
  • Office File API Subscription
  • Reporting Subscription
  • DXperience Subscription
  • Universal Subscription
    • Business Intelligence Dashboard
    • Cross-Platform .NET App UI (XAF)
    • .NET Role-based Access Control API powered by EF Core and XPO ORM

External Testing Tool: Veracode

We use Veracode’s static security scanner to analyze DevExpress source code. We review all Veracode-reported issues, fix vulnerabilities, and discard false positives.

You can review our Veracode Verified certificates on the following website:

https://www.veracode.com/verified/directory/devexpress

This prevention technique is used for the following .NET Framework, .NET Core, .NET Standard, and UWP products/product suites by DevExpress.

  • DevExpress WinForms Subscription
  • DevExpress ASP.NET Subscription
  • DevExpress WPF Subscription
  • UWP (Windows 10 Apps) Subscription
  • Office File API Subscription
  • Reporting Subscription
  • DXperience Subscription
  • Universal Subscription
    • Business Intelligence Dashboard
    • Cross-Platform .NET App UI (XAF)
    • .NET Role-based Access Control API powered by EF Core and XPO ORM

External Tool: LGTM

The DevExtreme team (authors of our JavaScript UI widgets for jQuery, Angular, React, and Vue) utilizes LGTM.com’s continuous security analysis service. This service has been integrated into DevExtreme’s CI workflow and is used to analyze all merge requests submitted to associated repositories.

Security Advisories and Product Update Process

We are not perfect and security-related issues may be introduced into an official DevExpress release. If we locate a potential security vulnerability in an official DevExpress release, we will publish a fix in the shortest possible time frame (usually our next minor product update). Once patched versions are ready for download/deployment, we update the DevExpress Security Advisory Bulletin and announce the security update via email and our website. Our security advisory describes the issue, lists affected products, and steps that must be taken to mediate future risk.

DevExpress Security Advisory Bulletin

NOTE

We respect your privacy rights. To receive security-related advisories via email, you must update your DevExpress.com profile and authorize us to send you (or your authorized representative) security-related advisory email messages:

security page emails

Best Practices

The DevExpress Security Guild - in collaboration with individual DevExpress development teams - has produced a series of security-related best practice help topics for your consideration. Whether you currently use DevExpress controls or are evaluating DevExpress products for a future project, the following resources should help you design and test your software application(s).

Full Source Code is Available

No matter what we do, how we do it, or how much time we invest, ultimate responsibility for quality and application-wide security lies with you and your organization. For this reason, we allow every organization to purchase full source code for all DevExpress components (full source code is available in the DevExpress Universal Subscription). Through source code review, you can fully evaluate/analyze our products and ensure that DevExpress components meet your organization’s security-related or quality-related requirements.

Should you have security-related questions or require additional guidance, please email management@devexpress.com. To explore our end-user license agreement and review the terms that govern use of all DevExpress products, please visit the following webpage: Licensing: EULAs and FAQ | DevExpress