Autodesk is working to build security in our products. We work directly with our customers to detect, monitor and prevent attacks. We have standard practices in place to respond effectively to incidents and reduce customer risk. Autodesk is taking steps to work with our customers to comply with industry regulations and standards.
Autodesk provides a comprehensive security framework to our product teams across the following areas:
Autodesk believes that proactively building security in our products is a critical part of keeping our customer’s investment in Autodesk products secure. Autodesk's Secure Software Development Lifecycle (SSDLC) is a critical part of embedding security in our products.
Autodesk understands that security in the cloud is of prime importance to our customers and that customers rely on our practices to protect the confidentiality, integrity and availability of their information. Defense-in-depth is a key tenet of our cloud security strategy.
We strive to make our response and mitigation processes efficient and swift. Continuous monitoring of the threat landscape, collaboration with security researchers, and quick resolution of incidents that occur are the foundation of Autodesk’s product security incident response practices. Click here to report an incident.
Periodic internal audits, external assessments, compliance to industry standards and practices and on-going improvement are part of Autodesk’s overall product security strategy.
Product security methodology
Built to be secure
Autodesk's Secure Software Development Lifecycle (SSDLC) is a critical part of embedding security in our products. By instituting security as a company-wide initiative, Autodesk embracing industry best practices and lessons learned from the industry.
Our SSDLC is a framework that defines the process used by most organizations to build an application from its inception to its decommission.
In general, we build security into the following industry standard domains:
Planning and requirements
Architecture and design
Testing and results
Release and maintenance
The primary focus of the SSDLC process is to make security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort rather than an after-the-fact technique that results in a high number of issues discovered too late.
Our Secure Software Development Lifecycle (SSDLC) program focuses on these initial “7 Practical Steps to Delivering More Secure Software” with each step supported through training, processes and tools.
Quickly evaluate current state of software security and create a plan for dealing with it throughout the life cycle.
Specify the risks and threats to the software so they can be eliminated before they are deployed.
Review the code for security vulnerabilities introduced during development.
Test and verify the code for vulnerabilities.
Build a gate to prevent applications with vulnerabilities from going into production.
Measure the success of the security plan so that the process can be continually improved.
Educate stakeholders & employees about security so they can implement the security plan.
Cloud Security at Autodesk
Autodesk employs a team of security and compliance professionals to build security into its products and deployment infrastructure.
Some of our responsibilities include:
Reviewing the security of products from design to implementation
Defining and driving implementation of security policies for products
Identifying and implementing technologies to secure and protect customer information
Engaging third-party security experts to conduct security assessments
Monitoring cloud products for possible security incidents and respond to incidents as needed
Vulnerability Scans and Penetration Testing
Autodesk conducts on-going scans and penetration testing of products and our infrastructure. Security scans and penetration-testing cover a wide range of vulnerabilities such as the ones defined by the Open Web Application Security Project (OWASP) and SANS top 25.
Network and Perimeter Security
Network security is enforced using a combination of physical and logical controls, including encryption, firewalls, and systems hardening procedures. Stand-alone hardware firewalls are deployed at the perimeter of the cloud. All ports except those required to serve customer requests are blocked.
Network traffic containing sensitive information, such as credentials, is transmitted securely over the Internet to the perimeter of our environment.
Training & Education
All Autodesk employees must affirm the importance of information security as part of new-hire orientation. Employees are required to read, understand, and take a training course on the company’s Code of Conduct. The code requires every employee to conduct business lawfully, ethically, with integrity, and with respect for each other and the company’s users, partners, and competitors.
Autodesk employees are required to follow the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. New employees must sign a confidentiality agreement. New employee orientation emphasizes the confidentiality and privacy of customer data.
To implement security best practices, Autodesk has introduced a yearly Software Security Certification Program (SSCP) for everyone in the Engineering & Cloud Operations functions.
The foundation of Autodesk’s product security incident response practices is managed by the Product Security Incident Response Team (PSIRT). They manage the receipt, investigation and internal coordination of security vulnerability information related to Autodesk’s products and services.
The Autodesk Security Incident Response Process is based on International Standards and helps the PSIRT follow guidelines when receiving and responding to product security incidents.
Maintaining communication between all involved parties, both internal and external, is a key component of our incident response process.
We employ an incident management process to quickly respond to events that adversely affect the Autodesk cloud services. If you believe such an event has occurred, Autodesk is available 24/7 to respond. We treat events that directly impact customers with the highest priority. Click here to report an incident.
Audits & Compliance
Autodesk creates and implements security policies based on industry best practices as well as international standards and regularly conducts internal and external audits and attestations and third-party security assessments for the products.
External Audits, Attestations and Certifications
Autodesk engages AICPA accredited auditing firms to perform independent audits and assess effectiveness of security controls in place for the products listed below. Autodesk has selected industry standard attestations and certifications for its products – SSAE-16 AT 101 SOC 2 attestation, ISO 27001, ISO 27017 and ISO 27018 certifications. Below is the current list of products covered by these attestations and certifications.
BIM 360 Field Management (aka “Next Gen BIM 360 Field”)
BIM 360 Model Coordination (aka “Next Gen BIM 360 Glue”)
BIM 360 Document Management
BIM 360 Document Management (EMEA)
C4R = Collaboration for Revit
BIM 360 Team
To read the full Autodesk SSAE16-SOC2 audit report or to inquire about the compliance status of a product not listed above, contact us.
Security & Risk Assessment
Autodesk performs regular internal audits and risk assessments to actively monitor changes in the environment, adherence to policies and procedures and identify new and emerging risks.