Product Security Program
Overview
The times when security could be an afterthought in product development are long behind us. Technology experts and leaders understand that security needs to be considered from the very beginning of the product creation process and addressed throughout the entire product lifecycle.
MiR operates a Product Security Program which ensures that security is addressed in every step on the way from the idea for a product, through development and testing, to shipping it to our customers. And even beyond that: all the way through securely operating the product for many years at our customers’ sites up to secure decommissioning.
These are some, but by far not all, elements of the MiR Product Security Program:
Secure Development
Development encompasses multiple phases of the product’s lifecycle: everything from the concept phase to the release of a new product or product version. This is the most complex part of the product lifecycle: it is where the engineering activities are performed to make an idea become reality.
At MiR, we take several steps to ensure that we consistently deliver highly secure products which meet our customers’ needs for operating secure enterprise networks and industrial automation systems. Some of the most prominent include:
Following the IEC 62443 standard for Industrial Automation and Control System security
Conducting threat modeling as part of every product and feature design
Following secure design principles
Following secure coding guidelines
Conducting a wide palette of automated security scanning and testing
Conducting external penetration tests
Risk Management
All security findings, regardless of their source, are subject to a rigorous risk management process. We thoroughly assess the customer risk associated with a finding and take the appropriate risk response actions.
Security improvements are part of most MiR software releases, and where prompt actions are necessary, Security Advisories are published and patches are released as soon as possible.
Patching Strategy
Security improvements and updates are part of most MiR software releases. Where prompt action is necessary, a patch release can be issued.
A patch release can be triggered by several things. One of these triggers is a newly discovered vulnerability in a third-party dependency. As part of our supply chain security controls we monitor our dependencies for vulnerabilities and assess issues immediately upon discovery.