

By
Steven Birks
August 17, 2022
The security of our applications is of utmost importance to us. One of the ways we keep our systems secure is by regularly scheduling penetration tests, where a third-party company attempts to find and exploit vulnerabilities in our software.
In November 2021, an initial penetration test of our applications was conducted by Claranet, and a re-test took place in February 2022 to scrutinize the changes we made following the initial findings.
Enable performed well in the test, with only one high impact vulnerability highlighted. It was discovered that a malicious user input could be entered into our website and then downloaded through a spreadsheet. When the spreadsheet was opened in Microsoft Excel, if the cell containing the malicious data was clicked, and the subsequent security warnings from Excel ignored, this could cause an unsafe website to be opened, or malicious code executed.
Five other vulnerabilities were highlighted and rated as medium or low impact.
Enable acted swiftly to remediate the high impact vulnerability. Unsafe user input in spreadsheets is now sanitized by prepending a single quote if the leading character is unsafe, preventing any malicious code from being run in Excel.
Another medium impact issue with MFA was quickly addressed by implementing a brute-force protection mechanism, which locks out a user after a certain number of incorrect MFA codes are entered consecutively.
The other 4 medium/low impact vulnerabilities were thoroughly investigated, and any necessary remedial work undertaken by February 2022. The re-test confirmed that 3 vulnerabilities, including the 2 detailed above, had been successfully mitigated in the detected areas, and it was determined that the other 3 potential vulnerabilities did not pose a significant risk.
Enable is committed to continuous investment into the security of our software, and this example demonstrates the value that we are gaining through this investment. We were able to identify potential weaknesses in our system security, and quickly allocate considerable Engineering resource to resolve them, increasing our confidence that our systems are protected against the range of threats that today's web applications face.
Enable will continue to periodically conduct penetration tests and devote time into security improvements. Our IT team and our Engineering team both regularly take training on the latest security risks to web applications, and our software is frequently updated to keep it secure from the latest publicly disclosed vulnerabilities.