What security procedures, scanning, best practices does OSIsoft use in application development? Any certified security?
Thanks, Vince. The code development process itself is in accordance with SDL (ISO 27034-1). Practices including static analysis, code reviews, dynamic stress testing methods, and defensive programming courses, as you mentioned. Data centric security metrics are used internally to evaluate teams SDL maturity. OSIsoft also uses third party engagements to advance security practice capability. A few examples of recent engagements include:
• 2015/2016/2017 Springfield Fuzzer (15x Microsoft)
• 2016 PI Coresight (IOActive)
• 2016 PI Coresight Claims (Public/Private Consortium)
• 2017 PI Data Archive Schannel Review (IOActive)
• 2018 US DoD DIACAP ‘Authority to Operate’
Following links will help you in configuring the security,
Thanks but that's not what I'm asking. How does OSIsoft ensure the security of it's applications? Not installations of it's applications. Do they run security scanning software against development code before release? Looking for something like this or that addresses STIG or FAR.
Continuous Monitoring and Security Assessments
We have in place various proactive monitoring and active security policies and procedures to identify abnormal behavior, catch anomalous activity, detect and isolate suspicious activity against or within our online solution. Examples include limitations on authentication requests, location based risk evaluations, size and growth of user activity, failed authentications, API rate requests and more.
Our development teams go through a number of defensive programming courses. The specifics of which I am unaware. Maybe Bryan Owen or Harry Paul can help weigh-in here.
Thank you, exactly what I needed. I'm not sure how to mark the question answered.
Retrieving data ...