Q. Do you document and perform quality and cybersecurity reviews and testing, including vulnerability scanning covering static, dynamic, and secure code testing using best practices prior to release?
Q. Do you warrant that products have been developed in accordance with principles of secure software development best practices such as OWASP, CSA & IEC62443 including security design review, secure coding practices, risk-based testing?
Q. Do you perform audits or other reviews of your software to warrant that security controls are being implemented and operating effectively? If not, please explain.
Q. Do you have a publicly documented process for managing security vulnerabilities in your application(s)? What is your process for managing and communicating security vulnerabilities in your application?
Q. If compliant on previous question, do you warrant that all vulnerabilities rated critical and high have been remediated before making your product available on the Niagara Marketplace?
Q. Do you warrant you have removed unnecessary features, components, back doors, files, protocols, and ports from your software or product your are offering through the Niagara Marketplace? That is, does it weaken the Niagara Framework?
Q. Do you have a formal change control and release management processes to manage code changes?
Q. Do you perform Input Data Validation checks on your product to verify that the inputs (e.g., character set, length, numerical range, and acceptable values) match specified definitions for format and content to prevent injection attacks?
Q. Do you monitor for known vulnerabilities from common sources such as OWASP, CVE, NVD, etc. and apply recommended patching to your product? Also, do you maintain an up-to-date security vulnerability management plan for all your software products?
Q. Are your products digitally signed?
Q. Is the Open Source Software (OSS) appropriately licensed for use in your product to be offered on the Marketplace? If so, please provide a list of open source software (OSS) and versions utilized in your project.
Q. Are all personnel required to sign Non-Disclosure Agreements (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information?
Q. Are all of your developers trained on secure SDLC practices?