Q. Do you document and perform quality and cybersecurity reviews and testing, including vulnerability scanning covering static, dynamic, and secure code testing using best practices prior to release?
A. Yes, we are ISO27001 certified and perform testing and reviews to that standard.
Q. Do you warrant that products have been developed in accordance with principles of secure software development best practices such as OWASP, CSA & IEC62443 including security design review, secure coding practices, risk-based testing?
A. Yes
Q. Do you perform audits or other reviews of your software to warrant that security controls are being implemented and operating effectively? If not, please explain.
A. Yes, all source code is open for read access to all internal development teams to review and comment prior to any release.
Q. Do you have a publicly documented process for managing security vulnerabilities in your application(s)? What is your process for managing and communicating security vulnerabilities in your application?
A. Any security vulnerabilities would be tracked in Gitlab against the codebase of the application, and all builds containing the issue marked as not for release until it is fixed. All existing installs of the software would also be tracked via licensing and informed of the issue, and a free security update offered.
Q. If compliant on previous question, do you warrant that all vulnerabilities rated critical and high have been remediated before making your product available on the Niagara Marketplace?
A. Yes
Q. Do you warrant you have removed unnecessary features, components, back doors, files, protocols, and ports from your software or product your are offering through the Niagara Marketplace? That is, does it weaken the Niagara Framework?
A. Yes, we take steps to thoroughly test for any workarounds or backdoors in our software. All software is strictly version controlled so any unnecessary components are not included.
Q. Do you have a formal change control and release management processes to manage code changes?
A. Yes, we use Gitlab for version controlled and code push sign off. All builds are explicitly marked as internal or development builds until approved for release.
Q. Do you perform Input Data Validation checks on your product to verify that the inputs (e.g., character set, length, numerical range, and acceptable values) match specified definitions for format and content to prevent injection attacks?
A. Yes, all software is thoroughly reviewed and tested before being marked as release.
Q. Do you monitor for known vulnerabilities from common sources such as OWASP, CVE, NVD, etc. and apply recommended patching to your product? Also, do you maintain an up-to-date security vulnerability management plan for all your software products?
A. Yes, as part of our ISO27001 accreditation we track know vulnerabilities via various providers such as cve.org.
Q. Are your products digitally signed?
A. Yes, we use code signing certificates for all of our software.
Q. Is the Open Source Software (OSS) appropriately licensed for use in your product to be offered on the Marketplace? If so, please provide a list of open source software (OSS) and versions utilized in your project.
A. We do not use any Open source software that requires licensing.
Q. Are all personnel required to sign Non-Disclosure Agreements (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information?
A. This is dependant on their role within the company and what data they have access to. All employees are covered by our ISO27001 Data handling policies that are signed at the start of employment.
Q. Are all of your developers trained on secure SDLC practices?
A. Yes, and ongoing security training is provided to all employees annually.
© 2024 Tridium Inc. All rights reserved.
Tridium, Inc., is a wholly owned subsidiary of Honeywell International Inc.