Certified Software Development for Managing Environmental Indicators

With more than 20 years of experience in the areas of CO2 and carbon footprinting for local authorities and companies, ECOSPEED AG is playing its part in climate protection with its software solutions. It is no coincidence that the company is one of the leading service providers in the areas of Corporate Carbon Footprint (CCF) and Product Carbon Footprint (PCF). More than 3,000 customers across Europe rely on its web-based software. A high level of security during the entire development process right through to the finished application is therefore a necessity.

Back in 2018, ECOSPEED AG commissioned the security experts at TÜV TRUST IT to put the application through its paces using the “Trusted Development” requirements catalogue and subsequently certify it. The application, which has been continuously developed over the years, was recently re-tested with the aim of re-certification according to “TÜV TRUST IT Trusted Development”.

As part of the certification project, the application’s security was extensively tested in the categories of IT security, information protection and data protection. As in 2018, the basis for this was the “Trusted Development” requirements catalogue, which is based on various norms, standards and laws as well as TÜV TRUST IT’s own criteria and experience as well as established IT security best practices.

A central component of the project was the detailed security review of the finished application. This involved thoroughly analysing the implemented security measures to ensure that the application meets the highest security standards. This analysis covered a number of different steps, from the definition of requirements to the test procedures, deployment and operation. The effectiveness and robustness of the implemented security mechanisms were thoroughly analysed. In this context, the security review of the web application, which is intended to uncover potential security vulnerabilities, should be emphasised in particular. The TÜV TRUST IT experts used various test methods to check the application’s sensitivity to attacks. These included scans for vulnerabilities, the simulation of attacks and a review of the “secure coding” implementation.

Another part of the investigation focussed on the technical review of the infrastructure that is used for development. The actual security of the infrastructure was determined on the basis of the “Trusted Development” requirements. The experts also looked at the relevant organisational processes and checked compliance with national and international standards. In particular, control measures for access to the programme source code and associated elements were established and thoroughly reviewed to ensure that the high security standards are continuously maintained.

Looking back, project manager Maximilian Schäfer from TÜV TRUST IT was happy with the process and the test results and explained the benefits of a “TÜV TRUST IT Trusted Development” test: “The developed applications have already proven to be extremely robust against typical attack patterns on web applications in numerous tests. The performed audits have shown that identified vulnerabilities were always quickly eliminated through adequate measures. As a result, the security standard has grown continuously and, as has already been established in the past, is at a high level. An established procedure also ensures that the company is able to react promptly to new vulnerabilities in order to initiate appropriate measures and thus guarantees a consistently high level of security.”

The re-certification also proves that the application continues to offer a high level of security even after many years of further development. Thomas Herzberger, Director Software Development at ECOSPEED AG, is not only pleased with the result, but also with the once again very positive course of the project: “We already knew the experts at TÜV TRUST IT from our previous collaboration, which is why it was absolutely clear to us that we would go down this path of re-certification together again. The entire project was again handled very professionally and was characterised by good and transparent communication. I am delighted that our application has once again proven that it guarantees our customers the highest possible level of security.”