Q. Do you document and perform quality and cybersecurity reviews and testing, including vulnerability scanning covering static, dynamic, and secure code testing using best practices prior to release?
A. Yes, we document the security review process, document the testing process and perform code analysis process.
Q. Do you warrant that products have been developed in accordance with principles of secure software development best practices such as OWASP, CSA & IEC62443 including security design review, secure coding practices, risk-based testing?
A. Not applicable. Our software is developed on the Niagara Framework provided APIs. We perform internal security review of the software and perform static code analysis.
Q. Do you perform audits or other reviews of your software to warrant that security controls are being implemented and operating effectively? If not, please explain.
A. Not applicable. Our software is developed on the Niagara Framework provided APIs. We perform internal security review of the software and perform static code analysis.
Q. Do you have a publicly documented process for managing security vulnerabilities in your application(s)? What is your process for managing and communicating security vulnerabilities in your application?
A. We follow internal process for security review & identifying vulnerabilities and mitigation strategy.
Q. If compliant on previous question, do you warrant that all vulnerabilities rated critical and high have been remediated before making your product available on the Niagara Marketplace?
A. Yes.
Q. Do you warrant you have removed unnecessary features, components, back doors, files, protocols, and ports from your software or product your are offering through the Niagara Marketplace? That is, does it weaken the Niagara Framework?
A. Tridium Professional Services product does not weaken the Niagara Framework.
Q. Do you have a formal change control and release management processes to manage code changes?
A. Yes.
Q. Do you perform Input Data Validation checks on your product to verify that the inputs (e.g., character set, length, numerical range, and acceptable values) match specified definitions for format and content to prevent injection attacks?
A. Yes.
Q. Do you monitor for known vulnerabilities from common sources such as OWASP, CVE, NVD, etc. and apply recommended patching to your product? Also, do you maintain an up-to-date security vulnerability management plan for all your software products?
A. Our product uses the standard Niagara Framework APIs and we conduct internal security review process.
Q. Are your products digitally signed?
A. Yes.
Q. Is the Open Source Software (OSS) appropriately licensed for use in your product to be offered on the Marketplace? If so, please provide a list of open source software (OSS) and versions utilized in your project.
A. Not Applicable. We do not use Open Source Software in our Tridium Professional Services product.
Q. Are all personnel required to sign Non-Disclosure Agreements (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information?
A. Not applicable. We’re part of Honeywell.
Q. Are all of your developers trained on secure SDLC practices?
A. Yes.
© 2024 Tridium Inc. All rights reserved.
Tridium, Inc., is a wholly owned subsidiary of Honeywell International Inc.