Compliance with the OWASP standard (DCE & DCO)

Hi Ivan,

My engineering contact stated:

---------------------------------------------

OWASP is more like a community than a specific standard, but they do produce the OWASP Top Ten. These are some of the most commonly exploitable attack vectors / security practices that are generally considered a good basis to follow with respect to product testing and security requirements.

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

I would say that we use this as a guideline and that it directs a lot of our security testing and requirements. We have not done an official OWASP Top Ten certification or anything like that. I don’t think that exists, though there may be companies that help with similar certs that embrace the guidelines.

---------------------------------------------

That being said, I have nothing that I can provide as "evidence".

Thanks,

Steve

(CID:147197174)

Adding to Steve's comments. On the DCO side we do not publish the specifics regarding the processes and mechanisms we use to test our products for vulnerabilities and other security issues. This is partly because if we publicly document our methods we would be providing intel to those who would like to break our product.

That being said, I would recommend viewing this page https://ecostruxureit.com/security/ as it details measures taken in the ecostruxure IT platform. Most of the development portions of that page are built into the development process for the DCO server, desktop and web clients. A number of the sections on the above page check the boxes in the OWASP requirements.

Regards

Greg Sterling

(CID:147197238)