Here at Enable, the security of our applications is a top priority for us. As an ISO 27001 (Information Security) accredited company, our applications are designed with the security of our clients in mind. In addition to reviewing potential security vulnerabilities as new features are developed, we also carry out regular penetration testing. Penetration tests are carried out by a third party company every 18 months. Plus, to complement these tests we also perform penetration tests ourselves internally, which is done on a more frequent basis.
What is a penetration test?
Also known as 'ethical hacking', penetration testing is the process of examining an application, and its infrastructure, for potential security vulnerabilities which could be exploited during a cyberattack. The techniques used to identify security vulnerabilities in a system are designed to mock the malicious techniques which an attacker may use. The test will then highlight the risk level of vulnerabilities identified, varying from low risk to critical risk. The tests which are performed are those which are most relevant to the type of software being tested, in this case web-based applications (accessed via a web browser using a specific web address).
What does penetration testing involve?
In short, penetration testing is making attempts to breach the security of a system, in order to test the system's security. When we carry out penetration tests, we use the same techniques and tools that are commonly used in malicious attempts to breach security defences in web applications.
Why do we have a third party penetration test our applications?
There are several types of penetration test in which the tester has varying levels of knowledge about the system. In a third party penetration test, the qualified individuals have no knowledge of the internal structure of the system, and do not have access to the source code. This allows the tester to replicate the level of knowledge which a genuine cyber-attacker may have as closely as possible.
What were the findings?
In May 2020, cybersecurity experts from NCC Group carried out a penetration test of our Trading Programs application, including the Forecasting and Watchlist apps. The report from this third party penetration test identified a total of 7 potential security vulnerabilities, all of which were assessed to pose a low risk, which means they should be addressed as routine maintenance tasks. No critical, high or medium risk vulnerabilities were identified, which demonstrates the effectiveness of continually investing in the security of our applications.
How will we resolve any vulnerabilities?
Upon receiving the report of the test from NCC Group, we reviewed the findings and swiftly acted to schedule time to review and resolve the potential vulnerabilities. Two of the identified risks have already been resolved, and one identified risk is now redundant due to changes in our applications since the test took place. The remaining potential vulnerabilities are either due to be resolved or further reviewed in an upcoming development cycle.
Why external penetration testing is important
The purpose of a third party penetration test is not only to identify the risk level of any potential security vulnerabilities within our applications, but also to provide an extra level of confidence that our software is resilient against a range of modern cyber-threats. We currently schedule third party penetration tests every 18 months, with our previous penetration test being in November 2018. This complements our ongoing commitment to security in development cycles, as well as the internal penetration testing we carry out.
Internal penetration testing
Unlike our external penetration tests, which are performed on an 18 monthly basis, our internal penetration tests are carried out throughout the year as a form of ongoing testing. This way, we can ensure that new features are subjected to penetration testing soon after they are developed. All vulnerabilities found in our internal penetration tests are logged immediately, and given a priority of Critical, High, Medium or Low. We make sure any critical vulnerabilities are addressed urgently, whereas low risk vulnerabilities are typically addressed as part of routine maintenance.
Conclusion
Internal penetration tests are a key part of maintaining the security of our web applications. Performing these tests regularly allows us to identify and resolve potential security vulnerabilities quickly. Together with external penetration testing, this routine testing will continue to help us deliver software products which are as secure as possible. However, our investment in the security of our applications doesn't stop there. Both our IT team and Software Engineering team continue to maintain a high level of knowledge on the topic of information security through regular training time. This allows our teams to keep up to date on the newest threats facing software applications, and ensure that our applications remain as secure as possible. If you would like to find out more about penetration testing or security at Enable, please get in touch.