Why we had a third party carry out penetration testing on our software
Today it seems we hear about a new major data breach every week; regular attacks on high-profile companies proving that when guards slip, malicious and opportunistic attackers make their advance. While traditional firewalls and other network security controls are an important layer of any information security program, they can't defend or alert against many of the attack vectors specific to web applications.
As an ISO 27001 certified company, Enable knows that security is a significant concern for our clients, and so it is a top priority for us. Every new feature or software solution that we deliver has been designed and developed to be as secure as possible, incorporating the latest security defences.
How do we ensure that our defences are as strong as possible?
One way we can test our defences is through penetration testing, a process also known as ‘ethical hacking’. The National Cyber Security Center describes penetration testing as:
“A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might.”
“So, you had somebody attempt to hack your system?”
In a nutshell, yes; in late 2018 and early 2019 Enable engaged the services of a highly respected third-party security provider, NCC Group, to carry out penetration testing of our DealTrack software solution and provide us with a report of their findings. Their goal: to use the techniques and tools commonly used in malicious attacks to attempt to breach DealTrack's security defences.
The initial penetration testing took place in November 2018, with a re-assessment in April 2019 following some improvements we made as a result of the initial report.
As DealTrack is a cloud-hosted, web-based application (accessed via a web browser using a specific web address), the tester targeted the vulnerabilities and threats most relevant to web applications. Other types of software application, for example one installed directly onto a desktop computer, would require a different range of tests and technologies.
The tester worked through a suite of tests designed to exploit various common web application security flaws using the same tools and techniques that a genuine attacker might use.
The nature and severity of each issue found was detailed in the report along with recommended courses of action. Each identified issue was given a risk rating of either Critical, High, Medium or Low. As a scale of severity, Critical denotes an issue which should be addressed urgently whereas Low denotes an issue which should be addressed as part of routine maintenance.
Two distinct parts of DealTrack were scrutinised; the main application which is used by our clients to manage rebates, and the Trading Partner Portal which is a separate area that our clients' trading partners can access.
Overall, DealTrack performed extremely well in the penetration test, as noted in the report:
“It was apparent that security had been a consideration in the development of the DealTrack application as the risk from various common security flaws had been effectively mitigated.”
The penetration test identified 7 potential security vulnerabilities within DealTrack. The most significant of these was rated as Medium risk whilst the remaining 6 were rated as Low risk. No High or Critical risk items were identified, reflecting the investment Enable has made in security technologies and best practices as well as the technical expertise of our team.
Arising from the Medium risk vulnerability identified, the following recommendation was made:
“An account lockout mechanism should be implemented within the application. A user account should be locked out (prevented from making further login attempts) after a certain number of consecutive unsuccessful logon attempts.”
On receiving the initial report, we quickly acted upon this recommendation, significantly enhancing the security of the DealTrack login functionality. We also promptly addressed a few of the Low risk items.
By April 2019, we had worked to resolve more than half of the identified risks, with the retest confirming these issues fully closed. The retest report concluded that “the remaining issues were all assessed to pose a low risk”. We nevertheless scheduled the remaining issues to be addressed in an upcoming development cycle, scheduled to complete at the end of June 2019.
What happens next?
Enable found this to be an extremely valuable exercise and we intend to repeat the process annually to ensure that DealTrack remains as secure as possible.
We will continue to invest in the security of DealTrack, and all of our software solutions, using the latest tools, approaches and expertise available. For example, attending software development conferences, as we did in January 2019 is a great way to garner knowledge from the most respected specialists in our industry.
As well as highlighting some potential security weaknesses, the findings of this exercise also substantiated our confidence that DealTrack performs exceptionally well against the range of threats facing modern software applications -- and we know that our clients can justifiably share our trust in DealTrack.
Our goal is for every project to set a new benchmark for quality. We learn from every engagement and feed lessons learned into the next piece of work in a controlled environment while working to structured quality assured processes. By acknowledging the importance of penetration testing and making it one of the vital steps in the implementation process, our software is more likely to be more efficient and error-free.
If you would like to find out more about penetration testing at Enable, or DealTrack security, please get in touch with us.