Cyber Security Testing Approach Statement

Testing Approaches
To effectively identify vulnerabilities in software applications, ProcessVue employs two well-established testing methodologies:
1. Dynamic Application Security Testing (DAST)
2. Static Application Security Testing (SAST)

Dynamic Application Security Testing (DAST)
A “black box” testing method with no access to source code, designed to test software in its deployed or running state. Testing is approached with the mindset of a hacker trying to gain access to software and monitoring the results of the attempted security breaches.

ProcessVue’s Cyber Security Measures:
ProcessVue Analyser and Sequence products operate as passive alarm and event reporting and analysis applications. The drivers where applicable are used for data collection and designed to prevent unauthorised write-back to host systems.

ProcessVue Guardian, our Master Alarm Database application is deliberately air gapped from host systems and is incapable of unauthorised write-back. Alarm configurations are imported into ProcessVue Guardian using CSV files.

The ProcessVue software is delivered as a turnkey solution, preinstalled on Windows Server-grade computers. Installation is performed exclusively by approved engineers following ISO-approved procedures. To further enhance security, the solution can be hardened using the Microsoft Server Hardening Guide.

Security assessments, including penetration testing, are conducted periodically to identify and mitigate potential vulnerabilities. We actively engage third-party cybersecurity firms to perform rigorous penetration tests as part of our ongoing commitment to cybersecurity improvement.

Static Application Security Testing (SAST)
SAST is employed to identify vulnerabilities early in the software development lifecycle. This testing approach focuses on enforcing secure coding practices to minimise risks associated with software vulnerabilities.

ProcessVue’s Cyber Security Measures:

• Employee Vetting: Given the critical industries we serve, including nuclear energy, all ProcessVue employees, from engineers to software developers, undergo thorough security vetting.
• Adoption of OWASP Top 10 Best Practices: ProcessVue development aligns with the OWASP Top 10 guidelines where applicable to reduce common vulnerabilities within the software.
• Agile Development Security Measures:
  o User Requirement Specification (URS) development
  o Requirements discussions and user story planning
  o Security and vulnerability considerations during user story refinement
  o Secure coding practices incorporated into development sprints
  o Peer-reviewed pull requests to ensure security compliance
  o “Show & Tells” for risk discussions and feedback integration
  o Grey testing and test case development
  o Bug fix testing and test case updates
  o Beta releases and security testing before final deployment
• Code Peer Reviews: Each code release undergoes peer review to ensure security best practices are followed.
• DevOps Environment: ProcessVue’s DevOps environment facilitates secure development by enabling peer reviews and tracking changes across development sprints.

Future Considerations
ProcessVue has chosen not to implement a separate SAST application at this time to protect intellectual property. However, we remain open to expanding our SAST capabilities in the future as cybersecurity threats continue to evolve.

By integrating both SAST and DAST methodologies, ProcessVue ensures its software solutions remain resilient against cyber threats, safeguarding our customers and their critical operations.