Our external penetration testing results 2021

Our external penetration testing results 2021

The security of our applications is of utmost importance to us. One of the ways we keep our systems secure is by regularly scheduling penetration tests, where a third-party company attempts to find and exploit vulnerabilities in our software.

In November 2021, an initial penetration test of our applications was conducted by Claranet, and a re-test took place in February 2022 to scrutinize the changes we made following the initial findings.

The findings


Enable performed well in the test, with only one high impact vulnerability highlighted. It was discovered that a malicious user input could be entered into our website and then downloaded through a spreadsheet. When the spreadsheet was opened in Microsoft Excel, if the cell containing the malicious data was clicked, and the subsequent security warnings from Excel ignored, this could cause an unsafe website to be opened, or malicious code executed.

Five other vulnerabilities were highlighted and rated as medium or low impact.

Our response


Enable acted swiftly to remediate the high impact vulnerability. Unsafe user input in spreadsheets is now sanitized by prepending a single quote if the leading character is unsafe, preventing any malicious code from being run in Excel.

Another medium impact issue with MFA was quickly addressed by implementing a brute-force protection mechanism, which locks out a user after a certain number of incorrect MFA codes are entered consecutively.

The other 4 medium/low impact vulnerabilities were thoroughly investigated, and any necessary remedial work undertaken by February 2022. The re-test confirmed that 3 vulnerabilities, including the 2 detailed above, had been successfully mitigated in the detected areas, and it was determined that the other 3 potential vulnerabilities did not pose a significant risk.

Conclusion


Enable is committed to continuous investment into the security of our software, and this example demonstrates the value that we are gaining through this investment. We were able to identify potential weaknesses in our system security, and quickly allocate considerable Engineering resource to resolve them, increasing our confidence that our systems are protected against the range of threats that today's web applications face.

Enable will continue to periodically conduct penetration tests and devote time into security improvements. Our IT team and our Engineering team both regularly take training on the latest security risks to web applications, and our software is frequently updated to keep it secure from the latest publicly disclosed vulnerabilities.

Steven Birks

Lorem ipsum dolor sit amet.

You might also enjoy

Subscribe to the Enable blog to get the
latest rebate news and updates straight to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Notice for more information.
Accept
Back to top