1.7 KiB
1.7 KiB
name, description
| name | description |
|---|---|
| evolv-ot-it-security | Perform OT/IT security analysis for EVOLV Node-RED automation systems. Use when reviewing admin endpoints, node input handling, configuration exposure, dependency risk, network/data flow boundaries, and secure-by-default behavior for operational technology integrations. |
EVOLV OT/IT Security
Mission
Identify and reduce security risk while preserving operational reliability for process automation workloads.
Scope
- Node-RED admin endpoints in node entry files
- Input validation across
msg.topicand payload paths - Exposure of sensitive config/secrets in code, logs, or UI
- Dependency and supply-chain concerns in node packages
Security Workflow
- Enumerate attack surface:
- HTTP admin routes
- message ingress topics/payloads
- external service interfaces
- Validate input sanitization and type checks.
- Check least-privilege assumptions and secret handling.
- Evaluate failure modes for denial-of-service or unsafe operation.
- Recommend pragmatic controls with minimal operational friction.
Control Priorities
- Reject malformed or unauthorized control messages.
- Avoid leaking credentials, asset identifiers, or internal topology.
- Keep defaults safe; require explicit opt-in for risky behavior.
- Preserve auditability of critical control actions.
Validation Expectations
- Add negative tests for malformed inputs and unauthorized paths.
- Confirm error paths are explicit and non-sensitive.
- Document residual risk when controls are deferred.
Deliverables
Return:
- findings sorted by severity
- concrete remediation plan by file
- tests added for security regressions
- residual risks and compensating controls