Twice a year, Deloitte experts test the security of our HelloID service. But why is this such an important test for HelloID? And what does it mean for you as the customer? Let’s take a closer look and reveal what the latest test by Deloitte’s team of ethical hackers showed.
The most recent test by Deloitte proved yet again that HelloID security is at a very high level. These results are more than satisfactory, but it’s still important that HelloID is regularly tested throughout the year. This test keeps our experts sharp as well as stimulating the ongoing improvement of our technology and services. And for the customer, this test gives them the confidence that comes with knowing independent specialists test the HelloID solution every 6 months with a critical eye to discover any vulnerabilities before they can lead to harm.
Why a security test by external ‘Ethical Hackers’?
As a company developing Identity & Access Management products, we do have many security experts within our own ranks and we frequently ask them to try to attack our own solutions. However, we believe it is important that there is also a regular evaluation of our systems by external experts. These external tests help prevent the occurrence of blind spots and assist us with an extra pair of eyes. In choosing the ethical hackers of Deloitte to undertake these external tests we are guaranteed a team of independent and highly qualified security experts. It is crucial to us that Deloitte verifies the integrity of all its experts, so that you as a customer can be sure that the test results are not misused in any way.
Scope of the HelloID security test
This biannual survey of our HelloID service is not insignificant. Nor is it just a desk review of the HelloID design and specifications. But what exactly is it? The test consists of many attempts by professional ethical hackers to attack the HelloID solution. This team have been trained to look at IT systems as if they are an experienced cybercriminal in order to recognise vulnerabilities that others might overlook. They use, as an example, the NCSC ICT-B v2 guidelines and the OWASP Top 10 Application Security Risks of 2013 and 2017. Part of the test procedure includes the traditional black box tests whereby the ethical hackers try to gain unauthorised access to functionality and data without any knowledge of the system. However, in our application security tests, the ethical hackers go one step further and execute the so-called grey box tests. This test looks for any security weaknesses in specific parts of HelloID using inside information about the design and operation of the software. And in the final part of the test, the team looks at any opportunities for authorised users within the system. For example, do these authorised users have ‘unintended’ opportunities which go beyond what is necessary for their role? It’s well-known that fraud and cybercrime often occur within organisations. So, at HelloID we not only test the quality of our ‘front door’ but also our ‘back door,’ and the security of the application against someone authorised to use it.
With these tests, the full range of potential vulnerabilities is covered: from system reports providing too much detail, to the presence of cross-site scripting (XSS) vulnerabilities.