Cybersecurity certification

Has anyone found clients/users are starting to request cybersecurity certification? I’m especially interested in how cybersecurity standards and reguations affect providing hosted services, and how anyone is dealing with them, such as multi-factor authentication.

Is the solution to meeting cybersecurity standards lie with Tryton itself, or does access to Tryton need to be protected by another system?

I found a 2019 discussion topic that touched on this, but from the perspective of user convenience with single-sign-on (Connect Tryton to Gluu using oxd-server)

Thanks all.

In my experience, a third party company is hired to run a penetration test on the application.

I’ve experienced this at a company offering access to a web based application that purchased a cyber security insurance policy.

The third party ran automated and manual tests covering OWAPS and we received a report.

1 Like

Thanks @vincent Did the company run any tools or do any pre-testing before hiring a third-party audit (e.g. OWAPS ZAP)? Do you know if the insurance provider wanted to see compliance with any specific cybersecurity standards?

I’m somewhat familar with IEC 62443, which although for operational technology in automation and control systems, I think compliance might be requested for example if a company was using Tryton to direct manufacturing operations (issue work orders, source for purchased parts, source of CAD drawings for custom parts, etc.), which would require multi-factor authentication (MFA).

No, we had not run any tools.

I do not recall whether the insurance provider wanted to see compliance with any specific standards.

I do remember that it looks liked they had run open source tools you can find on the OWAPS site and I think I recall seeing reports that indicated Kali Linux was used too.

1 Like

Requirement are defined by the customer based of their risk-analysis and security police. In my experience there is not much use to implement controls like 2FA without clear demand from the customer. If you implement controls based on your experience or educated guess, you basically make a risk-analysis - which might be everything between okay and totally wrong.

If you have more questions: My main business is being a certified IT security consultant and I’m for hire. (Website is in German, though),

1 Like