Project Example: ECOSPEED AG
Because the generation of environmental indicators requires a high degree of accuracy and protection against manipulation, ECOSPEED AG has had the development of its software products for climate protection certified by TÜV TRUST IT. The test seal “Trusted Development” confirms the security of the software development process.
Initial situation
ECOSPEED AG, a former spin-off of the Swiss Federal Institute of Technology Zurich (ETH) with locations in Zurich and Bonn, is a highly specialised software provider for energy, environmental and climate applications. Its various web-based software solutions for balancing, managing and simulating environmental indicators and measures are used by public authorities, companies as well as private users. Since this also comprises sensitive data such as energy costs
and as high demands are placed on precision and security, the market is increasingly demanding objective proof of the quality of the software and its development process. TÜV TRUST IT was therefore commissioned by ECOSPEED AG to certify the software development process. The aim of the certification audit was to identify security-relevant risks that would allow an external attacker to endanger the security goals of ECOSPEED AG and undermine the integrity, confidentiality and availability of the processes and customer data.
Approach
The project included audits in the categories of software design, planning and implementation, IT security, information protection and data protection. In addition to various norms, standards and laws, the “Trusted Development” catalogue of requirements is based on TÜV TRUST IT’s own criteria and experiences as well as common IT security best practices.
A central component of the certification project was an audit of the software development process, in which the security measures considered were analysed. According to the catalogue of requirements, the audit covered all phases from the definition of requirements, design and implementation to test procedures, deployment and operation. A further part of the investigation was the technical examination of the infrastructure used for the development. The actual security was determined on the basis of the “Trusted Development” requirements.
In addition, TÜV TRUST IT’s experts also addressed the relevant organisational processes on the basis of international and national standards and examined whether control measures for access to program source code and associated elements have been established. “During the analysis, the developed applications proved to be robust against attack patterns typical for web applications”, explains André Zingsheim, project manager at TÜV TRUST IT.
Certificate handover at ECOSPEED AG in Zürich
“Weak points identified in the audit were quickly remedied by adequate measures, which gradually led to a high level of security being achieved. In addition, a process-routine ensures that new vulnerabilities are addressed in order to initiate appropriate measures to ensure a consistently high level of security.”
Benefits
With the “Trusted Development” certification, ECOSPEED AG can now prove to its customers and business partners that the software development process is suitable for creating secure software. In addition, ECOSPEED AG has also benefited from the know-how transfer with the experts of TÜV TRUST IT. “The seal of approval is the ideal instrument for us to transparently demonstrate to
our customers and partners that our software solutions are secure and that their data is in good hands with us. The result of the certification process is not only the seal of approval, but also a lot of new experiences and insights that ultimately benefit our customers with our solutions”, explains Thomas Herzberger, Director Software Development at ECOSPEED AG.
