EPRI: Electric Power Research Institute

Software Development

SWS Security Requirements

All Subscriber Websites (SWS) must pass the security requirements of the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) Project

EPRI IT Evaluates all SWS by utlizing the Rapid7 AppSpider automated scanning tool - this tool will be run against all SWS submissions (for new sites and updates to existing ones) and a scan report will be generated detailing the vulnerabilities found. Each vulnerability is categorized as High, Medium, Low, or Informational.

In order for an SWS to receive approval from the EPRI Information Security team (InfoSec) the scan report must have no high or medium vulnerabilities present.

If high and/or medium vulnerabilities are present on the scan report the developer must:

  • Submit a Security Remediation Plan to InfoSec for review and take appropriate actions to remediation the vulnerabilities.
  • OR
  • Submit evidence that the scanner finding(s) are false positive(s).

If the only low and/or information vulnerabilities are present then the scan report will be submitted to InfoSec for their review and approval.

If you have any questions about the findings from these scan reports please contact The Information Security Team for guidance.