Twice a year, experts from Deloitte test the security of our HelloID services. The recent test showed that the HelloID security level is high. This is an important research for Tools4ever that keeps us on our toes and stimulates us to continue improving our technology and services. It is also good for our customers to know that every 6 months independent specialists take a critical look at the HelloID solution. So that we discover any vulnerabilities before they can really hurt.
Why research by external ethical hackers?
Tools4ever has a large number of security experts within its own ranks. It is not without reason that we are a developer of Identity & Access Management products. It goes without saying that we also let our experts regularly try to attack their own solutions indoors. However, we think it is important that our systems are also critically examined structurally by another party. Such an external test keeps us on our toes, prevents the appearance of blind spots and, of course, the expression ‘force strange eyes’ also applies to us.
With Deloitte’s ethical hackers, we have opted for guaranteed independent and highly qualified security experts. Experts whose integrity is also guaranteed by Deloitte. Because of course we do not only want certainty about the quality of the security tests, but also about the reliability of the testers. So that you as a customer are sure that the test results are not misused in any way.
Scope of the HelloID security study
The 6-month survey is not a ‘paper tiger’. It is not just a desk review of the HelloID design and specifications. The investigation actually concerns attempts by professional ethical hackers to attack the system. The ethical hackers are trained to look at IT systems through the eyes of a seasoned cybercriminal and to recognize vulnerabilities that others may be overlooking. The NCSC ICT-B v2 guidelines and the OWASP Top 10 Application Security Risks of 2013 and 2017 are used for this.
Of course, the test includes the traditional blackbox tests. These tests are aimed at penetrating without knowledge of the system and gaining access to functionality and data. In our application security test, however, the testers explicitly go further and carry out so-called gray box tests. A gray box test also looks for security weaknesses in specific parts of HelloID, where the hackers receive information about the internal functioning of the software. Finally, the possibilities that authorized users have within the system are examined. Can they do more than is actually intended? Very important, of course, because we know that a lot of fraud and cyber crime takes place within organizations themselves. So at HelloID we not only have the quality of the front door tested,
The tests themselves cover the full range of possible vulnerabilities. From possibly too detailed system reports to the presence of cross-site scripting (XSS) vulnerabilities.
Any potential vulnerability that comes to light will receive a risk qualification that will help us address the issue with appropriate priority. This risk assessment follows from the probability that a potential vulnerability can be discovered and exploited, and its impact if that actually happens:
The probability depends, for example, on the complexity of the vulnerability in question. Can the vulnerability be exploited by following a simple step-by-step plan or is physical access to the servers required to abuse the vulnerability?
The impact is the extent of the potential damage that a vulnerability can cause. Obviously, it matters a lot whether this is a short-term interruption of the service or a serious data breach.
We receive the Low and Medium Risks as part of the test report, after which our experts get to work. Unexpected High Risks are immediately escalated by the testers, so that Tools4ever experts can immediately develop and roll out a solution. Fortunately, such vulnerabilities are rare.
With every test there are of course Low and Medium risks. Technology is constantly evolving, as is the knowledge and tools available to malicious parties. This means that we are never completely ready and always find things that can be improved. That is the great added value of such a 6-month security scan. We remain sharp and keep the HelloID service completely up-to-date in terms of security.
Want to know more about this security scan?
We may not publish the detailed content of our security scans. Our customers do see the effect of this in the form of adjustments, improvements and bug fixes in our regular release notes . In addition, our account managers are happy to tell you more about our regular security tests.