some IT Security query about LibreOffice

Dear LibreOffice，

 

Nice to talk to you! Here is IT security team from Jabil China, Chengdu.

 

Perhaps we’d like to use LibreOffice, but there are some queries especially about information security which are needed to be confirmed with you, thank you so much!

 

For this product:

 

l  Has a penetration test been performed?

l  Has a Dynamic Application Assessment been performed?

l  Are there reoccurring vulnerability scans?

l  Has Static Code Analysis been performed on the code?

l  Is there a Software Update Cycle?

l  Is there a regular OS Patching Cycle?

l  Has the code base gone through a static code review for OWASP top 10 and/or SANS25?

l  Has the app gone through a DAST or other dynamic testing?

l   Will the vendor, now or in the future, collect, store, process, transmit, dispose, or maintain Jabil data as part of its business activities?

l  Does the vendor have anyone who is responsible for information security policies, processes, and/or an overall security strategy?

l  Has the vendor been certified against or compliant with an industry best practice standard for information security ( e.g., ISO 27001:2013), or undergone a Service Organization Control engagement?

l  Is a valid(not expired), certificate and / or report demonstrating certification or compliance available?

l  Will the software store or transmit Controlled Unclassified Information (CUI), according to the definition found in NIST Special Publication 800-171? (JDAS Only)

(CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies. CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract.)

 

Have a nice day！