Security framework pillars
-
Risk & Compliance
-
Application & Product Security
-
Cloud & Data Protection
-
Threat Management
-
Our Security Culture
-
Security Research Not Permitted at Cvent
-
Zero-Day Updates
Cvent employs expert professionals within its Information Security team to deploy a robust Information Security and Privacy Program geared towards the protection of our customer's data and availability of services. Cvent’s Risk & Compliance team is regularly engaged with third-party assessors to examine our security policies, procedures, technologies, and controls to validate that our Program is designed and operating effectively:
Cvent is compliant with several internationally recognized industry security standards and data privacy regulations, including the following
Cvent employs certified Application Security personnel and application security processes to ensure our products are created and designed with security as an integral part of the process. In addition, Cvent works with industry certified third-party penetration testing parties to obtain an independent insight into our product's security posture. Cvent also aligns its vulnerability management process to industry-standard benchmarks to provide a standardized view of our product security.
Our multi-layered software security strategy is consistent with that of many of the world’s most successful cloud providers. Key activities of our software security program include:
- Secure Code Training: Our software engineers are trained on how to identify the latest threats and use secure coding techniques to build resilient and secure solutions.
- Secure Design Reviews & Threat Modeling: Our software designs undergo rigorous security reviews to identify and assess the impact of potential threats, and we establish countermeasures to address them. In addition, Cvent strictly adheres to the security guidelines outlined within OWASP Top Ten for application security reviews.
- Automated Security Testing: Our software undergoes several types of security testing, including SAST and DAST, at various stages of software development before it’s released to customers.
- Penetration Testing: We perform Red Team exercises to simulate attacks against our solutions and identify potential points of weakness or vulnerability.
- Vulnerability Disclosure Program: We maintain a bug bounty program to incentivize responsible reporting of bugs in Cvent platforms and applications by the security research community.
Cvent deploys layers of network security controls with the help of advanced network security tools such as firewalls, IPS, IDS, SIEMs, WAF.. Cvent implements a spectrum of security checks to properly safeguard our infrastructure from internal and external threats, including, but not limited to, the following:
- Strong Perimeter & System Defense:. Cvent has strong perimeter protection that detects network threats, performs surveillance, and analyzes attack patterns through firewalls, web application firewall, IDS/IPS and network traffic inspection by our 24/7 SOC team.
- Identity & Access Management: Cvent maintains strict control over who can access our computing resources through the concept of least privileges and role-based access controls. All access into our environment enforces strong passwords and multi-factor authentication over VPN.
- Military-Grade Data Protection: All customer data is protected while in transit and at rest by methods compliant with FIPS 140-2, the U.S. government standard for data encryption.
- Resilient Systems & Disaster Recovery Sites: Cvent maintains highly available fault-tolerant systems along with industry-standard tools and processes to recover systems and data to geographically distinct disaster recovery centers. Cvent has also implemented a comprehensive Business Continuity and IT Disaster Recovery Management Program designed to identify and assess threats and hazards, understand their impacts to Cvent’s operations, and develop a framework for planning and responding to unavoidable disruptions. Our framework focuses on three core elements:
- People: We have developed a unified command and control mechanism for event identification, evaluation, escalation, declaration, response, and deactivation.
- Processes: We have developed recovery strategies and plans for critical business functions required to sustain an acceptable level of operation during a significant business disruption.
- Technology: We have identified resiliency strategies for required essential information technology infrastructure, hardware and software.
- Data Deletion: Cvent follows industry-standard compliance requirements for the deletion of data in compliance with GDPR. Cvent ensures that data is used only for customer-defined specific purposes and is deleted once the agreement between Cvent and customer has been fulfilled.
Cvent’s information security teams understand that managing threat is one of the vital factors when it comes to securing customer’s data. Cvent have a 24X7 security operations and robust external partnerships to identify potential threats and effectively respond in the event of security emergencies. To ensure we at Cvent are handling threat effectively we have:
- Threat Intelligence Program: Cvent maintains an in-house Security Threat Analysis team, which works closely with our industry recognized third-party Security Operations Center (SOC) to provide around-the-clock threat intelligence and security event monitoring, incident response and recovery capabilities. Collect and synthesize intelligence data on threat agents, their tactics & techniques that may harm Cvent
- 24X7 Security Monitoring: Cvent monitors for potential security gaps or events correlated from intelligence, security control, and telemetry data
- Security Incident Response Program: Cvent maintains and execute response readiness plans and runbooks in the event of security incidents to minimize impact and smartly recover
Cvent is dedicated to build and maintain a culture of security to reduce levels of human risk across our organization. We strive to achieve this goal through ensuring all our employees receive awareness and role-based training. Examples of our security education activities include:
- Instructor-led security awareness training during onboarding
- Annual mandatory computer-based security awareness training
- Monthly email phishing assessments and reinforcement education
- Secure Coding training initiatives
- Role-based targeted security trainings for specific teams and departments
- Annual crisis management and emergency response exercises
- Annual IT disaster recovery and continuity plan testing, training, and exercises
While Cvent incentivizes responsible reporting of vulnerabilities of our applications and platform, we unequivocally prohibit the following acts:
- Infringing any laws or agreements in order to identify vulnerabilities.
- Attempting to access, gather, corrupt, or destroy any data that does not belong to you
- Carrying out any actions that may negatively impact Cvent or its ability to provide services. This includes DOS, DDOS, Spam etc.
- Instigating any social engineering attacks on Cvent employees or users.
- Scanning Cvent’s environment except under its bug bounty program.
Okta Data Breach
Updated: November 1st, 2023
Last week, the Cvent IAM Team received an email stating that we were not impacted by the security breach. However, Okta provided us with a list of IPs that were used by the attacker. We reviewed and audited our instance to confirm that we are indeed not affected.
Additionally, our representative has confirmed internally that our instance is not impacted.
WebP Vulnerability
Updated: November 1st, 2023
Cvent Product and Security teams have conducted an investigation into CVE-2023-4863 and CVE-2023-5129. During the investigation, it was discovered that the impacted library, libwebp, is not directly utilized by any of our products.
However, it is referenced internally (as a transitive dependency) by another library that is utilized by the Attendee Hub Mobile app (Cvent Event Mobile). It should be noted that this vulnerability is exploitable only for "webp" type images, which are not allowed within the Cvent Event mobile application.
Based on this analysis, we have determined that there is no immediate threat to the Cvent application or its users. As a precautionary measure, we are currently working on upgrading this instance in the upcoming mobile app release, which is tentatively scheduled for November 30, 2023.
Intel Downfall
Updated: Sep 5, 2023
Cvent's customer data is hosted and processed on AWS. Based on the messaging by AWS here AWS customer's data and instances are not affected by this issue and no customer (in this case Cvent) action is required. To our knowledge, Cvent's AWS systems containing customer data remain unaffected. Cvent also investigated the issue for our end user machines as well and did not find any unauthorized access.
For details on the vulnerability released, please click here.
MOVEit Transfer Web Application Vulnerabilities
Updated: May 23, 2022
Cvent does not use the MOVEit Transfer web application and is therefore not impacted by the security vulnerability referenced in CVE-2023-34362.
For details on the vulnerability released, please click here.
F5 Vulnerabilities
Updated: July 1, 2023
Cvent utilizes F5 systems within their environment and is aware of the CVE-2022-1388 BIG-IP iControl REST vulnerability that has recently been announced. As stated within the CVE, the vulnerability contains no data plane exposure and only affects the control plane. Cvent's configurations of the F5s in place do not expose the control plane to the internet. In addition, Cvent has patched all systems to version 13.1.5 as recommended by F5 as of 05/20/22, which in turn remediates this vulnerability.
For details on the vulnerability released, please click here.
Spring4Shell Vulnerabilities
Updated: April 1, 2022
Cvent has been investigating recent reports of CVE-2022-22965, the 0-day Remote Code Execution (RCE) vulnerability in the Spring software framework, and can confirm that we have successfully mitigated the risk associated with this issue. A limited number of Cvent applications run the Spring framework and product engineering teams have been mobilized to remediate the issue. We expect that all relevant product components will be updated to Spring Framework versions 5.3.18 or 5.2.20 by April 16, 2022.
Most important, however, Cvent has successfully implemented safeguards across our platforms that detect and block potential exploitation attempts that may target this weakness. These safeguards, along with other defense-in-depth security capabilities, effectively mitigate risk associated with this issue in order to protect Cvent systems and customer data.
For details on the vulnerability released, please click here.
log4j Vulnerabilities
Updated: February 7, 2022
This update constitutes Cvent's final customer notification regarding our security posture related to the Apache log4j vulnerabilities discovered in December of 2021:
As of early January 2022, Cvent has updated all critical customer systems to either log4j versions 2.17 or 2.17.1. In circumstances where systems have been updated to log4j version 2.17, Cvent has maintained multi-layered compensating controls to substantially mitigate the risk of exploitation of CVE-2021-44832 (the inherently lower-risk vulnerability in log4j version 2.17).
Even though the risk of exploitation is mitigated across the board, Cvent still aims to update the remaining 2.17 versions of log4j to 2.17.1 via our normal security patching cadence. Per our internal service level objectives, this means that the remaining systems will be updated by the end of March 2022.