Todor security (#1525)

* Create security-best-practices.md

* Update and rename getting-started/security-best-practices.md to getting-started/installation/security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Update security-best-practices.md

* Add files via upload

* Update and rename security-best-practices.md to security/security-best-practices.md

* Update and rename security-faq.md to security/security-faq.md

* Update and rename security-overview.md to security/security-overview.md

* Delete getting-started/installation/security-best-practices.md

* Update _config.yml

* Update security-best-practices.md

* Update security-best-practices.md

---------

Co-authored-by: Dimitar Nikolov <dnikolov@progress.com>

_config.yml

@@ -7,14 +7,17 @@ has_kb_portal: true
 # Trial download info
 has_cta_panels: true
 
-# Exclude files which should not be in the output
+# Exclude files that should not be in the output
 exclude: [README.md,Gemfile,Gemfile.lock,api_sort.rb,build_kb.rb,switch-ruby.cmd,TodorReadme.txt,report-designer-translations,_assetsApi]
 exclude_navigation: ["knowledge-base/*","embedding-reports/host-the-report-engine-remotely/telerik-reporting-wcf-service/*","embedding-reports/display-reports-in-applications/silverlight-application/*","embedding-reports/host-the-report-engine-remotely/asp.net-core-web-api-implementation/how-to-host-reports-service-in-asp.net-core-3.1","embedding-reports/display-reports-in-applications/web-application/html5-report-viewer/how-to-use-html5-report-viewer-in-an-asp.net-core-3.1-application","designing-reports/report-designer-tools/web-report-designer/how-to-set-up-in-.net-core-2.1-application","embedding-reports/display-reports-in-applications/web-application/angular-report-viewer/how-to-use-angular-report-viewer-with-systemjs"]
 navigation:
 ## List your directory names and order here, like this:
     getting-started:
-        position: 2
+        position: 1
         title: "Getting Started"
+    security:
+        position: 2
+        title: "Security"
     getting-started/web-designer:
         position: 5
         title: "Web Report Designer"

security/security-best-practices.md

@@ -0,0 +1,84 @@
+---
+title: Best Practices
+page_title: Best Security Practices when Embedding Telerik Reporting
+description: "Check the recommended security practices when embedding Telerik Reporting and working with its reports, services, and viewers."
+slug: security-best-practices
+tags: telerik, reporting, security, best, practices
+published: True
+position: 4
+---
+
+# Security Best Practices
+
+The article discusses general and reporting-specific security practices. While the recommendations may be necessary to keep your applications embedding Telerik Reporting secure, they may not be sufficient. The article should not be regarded as a complete and comprehensive security guidance.
+
+## General Security Considerations
+
+### Configuration Settings
+
+The suggestions in this section are the responsibility of the developer embedding Telerik Reporting in a custom application.
+
+* Run your applications hosting the [Telerik Reporting REST Services]({%slug telerikreporting/using-reports-in-applications/host-the-report-engine-remotely/telerik-reporting-rest-services/overview%}) and [Web Report Viewers]({%slug telerikreporting/using-reports-in-applications/display-reports-in-applications/overview%}) under [HTTPS protocol](https://developer.mozilla.org/en-US/docs/Glossary/HTTPS) and with the [CORS](https://developer.mozilla.org/en-US/docs/Glossary/CORS) enabled at the minimum required level.
+* Avoid the [Unsafe Code](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/unsafe-code) in your projects and their references.
+* Consider implementing [Rate Limiting](https://learn.microsoft.com/en-us/aspnet/core/performance/rate-limit?view=aspnetcore-8.0) in your Reporting Services to limit network traffic and prevent bad agents from exhausting system resources.
+
+## Reporting Specific Considerations
+
+### Report Definitions
+
+* The [Report Definitions]({%slug on-telerik-reporting%}#report-definition) gets instantiated by the Reporting Engine in runtime. The developer should ensure they come from trusted sources and don't contain malicious code.
+* The _Type_ report definitions are instantiated with reflection from the provided assembly. The advice from the section [Extending Telerik Reporting](#extending-telerik-reporting) is valid for these reports. Note that the assemblies with _Type_ reports don't require registration in the _assemblyReference_ of the configuration. It is the responsibility of the developer to ensure they don't threaten the environment.
+* The declarative report definitions (_TRDP_, _TRDX_, and _TRBP_ files) describe the report layout with XML code. The Reporting Engine [unpackages]({%slug telerikreporting/using-reports-in-applications/program-the-report-definition/package-report-definition%}) or [deserializes]({%slug telerikreporting/using-reports-in-applications/program-the-report-definition/serialize-report-definition-in-xml%}) them to make the required [Telerik.Reporting.Report](/api/telerik.reporting.report) instance. The developer should ensure no content may result in malicious executable code that may result in a security breach.
+* The Reporting Engine fetches the data from the [DataSource components]({%slug telerikreporting/designing-reports/connecting-to-data/data-source-components/overview%}) based on its properties. For example, the [SqlDataSource]({%slug telerikreporting/designing-reports/connecting-to-data/data-source-components/sqldatasource-component/overview%}) provides a connection string, data provider, and a command, which may be an inline query or stored procedure name. The connection is delegated entirely to the specified provider and relies on the connection string. Our recommendation:
+
+	- use data connections with the least necessary permissions
+
+	Data is fetched by the data provider by executing the command. Ensure the user doesn't have permissions, for example, to delete information from the data tables.
+
+	- do not include connection strings and credentials in report files
+
+	Use [named/shared](https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/connection-strings-and-configuration-files) rather than embedded connection strings. The Reporting Engine will resolve them from the application configuration.
+
+### Reporting Services
+
+* The [Telerik Reporting REST Service]({%slug telerikreporting/using-reports-in-applications/host-the-report-engine-remotely/telerik-reporting-rest-services/overview%}) is a Web API application. Use the Microsoft recommendations [ASP.NET Core security topics](https://learn.microsoft.com/en-us/aspnet/core/security/?view=aspnetcore-8.0) to ensure it is secure.
+* The service is represented by the [abstract ReportsControllerBase class](/api/telerik.reporting.services.webapi.reportscontrollerbase). Its methods are not authorized. They are virtual and it is your responsibility to authorize the Reporting REST API defined in the custom ReportsController inheriting the ReportsControllerBase.
+* The requests for resources are marked with the [AllowAnonymous attribute](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authorization.allowanonymousattribute?view=aspnetcore-8.0) by design. For that reason, the [Report Viewers]({%slug telerikreporting/using-reports-in-applications/display-reports-in-applications/overview%}) won't add [authenticationToken]({%slug telerikreporting/using-reports-in-applications/display-reports-in-applications/web-application/html5-report-viewer/api-reference/reportviewer/methods/authenticationtoken(token)%}) to these requests. If you need to authenticate the whole Web API of the Reporting REST Service, you need to add the header with a custom approach, for example, as explained in the following resources:
+
+	- [Request to '/api/reports/.../{documentId}' Is Not Authorized]({%slug why-get-document-request-is-unauthorized%})
+	- [Authorization in REST Service Controller]({%slug reporting-rest-service-authorization%})
+
+### Extending the Reporting Engine
+
+Telerik Reporting lets you extend its built-in functionality with custom code, for example by introducing [Custom User Functions]({%slug telerikreporting/designing-reports/connecting-to-data/expressions/extending-expressions/user-functions%}), [Custom Aggregate Functions]({%slug telerikreporting/designing-reports/connecting-to-data/expressions/extending-expressions/user-aggregate-functions%}), [Event Handlers]({%slug telerikreporting/designing-reports/report-designer-tools/desktop-designers/standalone-report-designer/using-event-handlers-in-srd%}) and [ObjectDataSources]({%slug telerikreporting/designing-reports/connecting-to-data/data-source-components/objectdatasource-component/overview%}). The Reporting Engine invokes the custom functionality with reflection. The allowed assemblies should be whitelisted in the configuration of the application hosting the Reporting Engine as explained in the articles [assemblyReferences Element]({%slug telerikreporting/using-reports-in-applications/export-and-configure/configure-the-report-engine/assemblyreferences-element%}), [TypeReferences]({%slug telerikreporting/using-reports-in-applications/export-and-configure/configure-the-report-engine/typeReferences-element%}), and [typeValidation]({%slug telerikreporting/using-reports-in-applications/export-and-configure/configure-the-report-engine/typeValidation-element%}). The entire responsibility for registering the custom assemblies and the security of their code is delegated to the developer.
+
+>tip Use only trusted assemblies that are signed with a public key token (see [Assembly (CLI)](https://en.wikipedia.org/wiki/Assembly_(CLI))) and cannot be replaced when extending the Reporting functionality in your projects, avoiding remote code execution and other malicious actions.
+
+### Report Viewers
+
+Don't expose sensitive information when working with the Report Viewers. Consider the following:
+
+* URL taking the user to the Report Viewer
+
+	Don't pass the report identifier, parameter values, or other sensitive information as inline or query parameters as they become part of the URL.
+
+* Client-side ReportSource, for example, the [HTML Report Viewer's reportSource]({%slug telerikreporting/using-reports-in-applications/display-reports-in-applications/web-application/html5-report-viewer/api-reference/reportviewer/methods/reportsource(rs)%}).
+
+	The viewer's/client-side _reportSource_ is sent to the service with the request. Avoid sending sensitive information with it. For example, you may pass the connection string to the report as a Report Parameter Value as explained in the KB article [Change Connection String dynamically through a report parameter]({%slug how-to-pass-connectionstring-to-report-dynamically-through-report-parameter%}). The value will be sent in the body of the request, which may be insecure, especially when the application runs under HTTP.
+	
+	When using HTTPS, the requests are encrypted and generally considered as secure. If you want an additional level of security, consider the [ReportSource Resolver]({%slug telerikreporting/using-reports-in-applications/host-the-report-engine-remotely/telerik-reporting-rest-services/rest-service-report-source-resolver/overview%}) that resolves the client-side reportSource to a server-side one. For example, use as _reportSource.report_ insensitive identifiers that may be resolved to the actual ones in the resolver.
+
+### Web Report Designer
+
+Use [Fine Tune the Customization in the Web Report Designer]({%slug telerikreporting/report-designer-tools/web-report-designer/web-report-designer-customization%}#fine-tune-the-customization-in-the-web-report-designer) to limit the permissions per user.
+
+### Report Converters
+
+When using the [Report Converters]({%slug telerikreporting/designing-reports/converting-reports-from-other-reporting-solutions/overview%}) provided by Telerik Reporting tool, you need to ensure the imported report definitions are safe and don't contain malicious code.
+
+## See Also
+
+* [Security Overview]({%slug security-overview%})
+* [Security FAQ]({%slug security-faq%})
+* [Introduction to Telerik Reporting]({%slug telerikreporting/welcome-to-telerik-reporting!%})
+* [System Requirements](https://www.telerik.com/products/reporting/system-requirements)

security/security-faq.md

@@ -0,0 +1,69 @@
+---
+title: FAQ
+page_title: FAQ
+description: "Find answers to common questions about Telerik's Reporting best security practices and guidelines"
+slug: security-faq
+tags: telerik, security, reporting, faq
+published: True
+position: 2
+---
+
+# Frequently Asked Questions (FAQ)
+
+In this article, you will find essential security information and resources related to [Telerik Reporting]({%slug telerikreporting/welcome-to-telerik-reporting!%}). Whether you need to report vulnerabilities, manage third-party dependencies, or understand how security fixes are delivered, this FAQ provides clear guidance on our security processes. Explore best practices and learn how Progress ensures the highest level of security for its products, from vulnerability reporting to compliance with industry standards.
+
+## How can I submit a security vulnerability report?
+
+If you have identified a potential security vulnerability in a Telerik or Kendo UI product, you can report it through the following channels:
+
+- **For Progress Customers**: Submit a security report by opening a support ticket through the [Technical Support Center](https://www.telerik.com/account/support-center). Provide detailed information, including the steps to reproduce the issue and any relevant reports or screenshots.
+
+- **For Security Researchers**: Ethical hackers and security researchers can report vulnerabilities through our [Bugcrowd Vulnerability Disclosure Program](https://bugcrowd.com/engagements/whatsupgold-vdp). This platform ensures that security issues are addressed efficiently and transparently.
+
+We will review the report and follow up in line with our security processes, making every effort to resolve confirmed vulnerabilities in a timely manner.
+
+---
+
+## What if clients are using a third-party scanning tool and want our assessment?
+
+Clients can open a support ticket through the [Technical Support Center](https://www.telerik.com/account/support-center) for the respective product and submit detailed information, including scan reports (PDF/Word/Excel/Screenshot) triggered against a no-minified version of the scripts and steps to reproduce or evidence of the issue. Our team will review and respond accordingly. We treat Security Vulnerability reports with **highest priority** and we engage with our internal Security Champions for revisions.
+
+> Tip: We recommend running the scan against the latest product version, as the problem may have already been resolved. 
+
+---
+
+## What is Progress's policy on handling third-party dependencies?
+
+Progress uses leading commercial tools to automatically monitor and update third-party dependencies in our Telerik and Kendo GitHub projects. Alerts are set up for all GitHub-hosted products, and any identified vulnerable dependencies are addressed by the repository owners and our dedicated security team.
+
+Note: Our definition of "done" includes successful builds that are scanned using top security scanning tools, and the resolution of any security alerts.
+
+---
+
+## Is security integrated into the CI pipeline?
+
+Yes, for example, our CI builds are integrated with some of the leading security scanning tools to ensure that new code commits do not introduce vulnerabilities or insecure code.
+
+---
+
+## How does Progress prioritize security reports?
+
+We prioritize security vulnerability reports with the highest urgency. When we receive an inquiry or vulnerability report, we begin by analyzing the issue to determine whether it's a false positive or a valid concern. If the report is confirmed as valid, we assess its severity using the CVSS (Common Vulnerability Scoring System) and promptly release a patch based on the severity level.
+
+---
+
+## How are security fixes shipped?
+
+Security fixes are typically included in the next product release. Similar to the bugfixes policy, we maintain and commit to support the latest version of the product. That said, if you want to benefit from a security fix, you would need to upgrade to the version where the fix exists.
+
+---
+
+## How are customers notified about security fixes?
+
+Once a vulnerability is fixed, we aim to release a patched version of the product. Depending on the severity of the issue, we may notify customers through CVE publications, email, blog posts, KB articles, or Release Notes for the specific product.
+
+---
+
+## Does Progress/Telerik have any security certifications or accreditations, such as SOC 2 or other industry-recognized standards?
+
+Yes, Progress and DevTools products perform annual SOC 2 compliance, which validates our commitment to security, confidentiality, and privacy. You can find more information about our compliance on the [Progress Trust Center](https://www.progress.com/trust-center). Additionally, we align our security practices with industry-leading frameworks to maintain and continually improve our high security standards.

security/security-overview.md

@@ -0,0 +1,71 @@
+---
+title: Overview
+page_title: Overview
+description: "Learn Telerik's best security practices, vulnerability reporting, and control-specific security guidelines."
+slug: security-overview
+tags: telerik, security, dpl, document, processing, redistributing, report
+published: True
+position: 1
+---
+
+# Security
+
+In today's world, security is more critical than ever. At Progress, we prioritize our customers' security, ensuring that our products are built with a strong foundation to safeguard their data and operations. We are committed to identifying and addressing potential vulnerabilities to provide our clients with the highest level of protection and confidence in our products.
+
+## Purpose of this Article
+
+This article covers common security-related questions, best practices, and the tools and processes we use to ensure the security of our products. It also outlines how customers and security researchers can report security issues, including our processes to mitigate risks. We provide guidance for submitting security reports through technical support or Bugcrowd, ensuring a clear pathway for identifying and addressing security concerns.
+
+## Reporting Security Vulnerabilities
+
+Whether you're a customer encountering an issue or a security researcher, we have processes to ensure a swift response and evaluation. Below are the steps for Progress customers and security researchers to report potential security vulnerabilities:
+
+### For Progress Customers
+
+At Progress, we work diligently to identify and fix security vulnerabilities in our products. Customers who believe they have identified a security issue should contact Technical Support for an evaluation. This allows us to document the issue and have our engineering teams confirm and address it as needed. Customers can submit reports through our support center:
+- [Technical Support](https://www.telerik.com/account/support-center)
+- [Contact Us](https://www.telerik.com/account/support-center/contact-us/technical-support)
+
+### For Security Researchers
+
+We value the contributions of security researchers and ethical hackers. If a researcher identifies a potential vulnerability, they can submit it via our [Bugcrowd](https://bugcrowd.com/engagements/devtools-vdp) platform. We aim to meet the following response times:
+
+| Type of Response | SLO (in business days) |
+|------------------|------------------------|
+| First Response    | 7 days                 |
+| Time to Triage    | 10 days                |
+| Time to Resolution| Depends on severity    |
+
+For more information, visit:
+- [Bugcrowd Vulnerability Disclosure Program](https://bugcrowd.com/engagements/devtools-vdp)
+- [Progress Trust Center](https://www.progress.com/trust-center)
+- [Vulnerability Reporting Policy](https://www.progress.com/trust-center/vulnerability-reporting-policy)
+
+## What We Do to Mitigate Risk
+
+Our dedicated security team, comprised of experienced developers and security experts—our "Security Champions"—reviews all web, desktop, and mobile products technologies for potential vulnerabilities. These vulnerabilities may be internally identified, reported by third-party tools, or flagged externally.
+
+We actively manage the following strategies to mitigate risks:
+
+### Prevention
+
+Our primary goal is to prevent security issues before product delivery. We use the following prevention techniques:
+
+- **Internal Logging**: Every potential security issue is logged, researched, tested, and verified. Issues deemed valid are assessed using a CVSS score, with critical issues prioritized.
+- **Third-Party Static Analysis Testing**: We utilize some of the leading security scanning tools in the market to scan for vulnerabilities in our software code. Regular scans are conducted, and results are reviewed to address vulnerabilities and mitigate false positives.
+
+## Third-Party Dependencies Handling
+
+We leverage leading commercial tools to automatically monitor and update third-party dependencies in our Telerik and Kendo GitHub projects, ensuring they remain secure and up-to-date. Alerts are enabled for all GitHub-hosted products, and the identified vulnerable dependencies are addressed by the repository code owners and security champions.
+
+>Note: Our definition of "Done" includes successful builds that are scanned using top security scanning tools, and the resolution of any security alerts.
+
+## OWASP Top 10 Alignment
+
+We closely monitor the [OWASP Top 10](https://owasp.org/www-project-top-ten/) list of security risks and align our security practices with these industry-leading standards. Regular updates ensure that our products address evolving security threats and vulnerabilities.
+
+## Redistributing Telerik Reporting
+
+[Telerik Reporting]({%slug telerikreporting/welcome-to-telerik-reporting!%}) is part of several Telerik bundles and is licensed under the conditions with which you've obtained the product. In the article you can find technical guidelines for protecting the Telerik Reporting binaries when redistributing them with your integrated product.
+
+For more detailed answers to common security-related questions, please refer to our [Security FAQ page]({%slug security-faq%}).