Deloitte: HelloID Security scan
Experts from Deloitte test and review the security of our HelloID service every six months. The recent test demonstrated that HelloID’s security level is high. For Tools4ever, this is consistently an important exercise that keeps us vigilant and encourages ongoing improvement of our technology and services. It is also reassuring for our customers to know that every six months, independent specialists scrutinize the HelloID solution with a critical eye, helping to identify any vulnerabilities before they can cause harm.
Why engage external ‘ethical hackers’ for an assessment?
At Tools4ever, we are proud to have an abundance of security specialists within our own ranks, given our expertise in developing Identity & Access Management solutions. Our in-house experts regularly conduct penetration tests on our offerings. However, we also value the importance of having our systems periodically scrutinised by an impartial third party. Such external reviews keep us alert, help avoid blind spots and, as the saying goes, ‘fresh eyes can spot new opportunities’ — and this holds true for us as well.
With Deloitte’s ethical hackers, we have chosen security experts who are guaranteed to be independent and highly qualified, with their integrity vouched for by Deloitte. We require certainty not only about the quality of the security tests but also the trustworthiness of the testers, so that you, as our client, can be confident that the test results will not be misused in any way.
Scope of the HelloID security assessment
Our biannual assessment is not just a nice paper to hang on the wall – it is not merely a theoretical review of HelloID’s design and specifications. The assessment involves actual attempts by professional ethical hackers to breach the system. These hackers are trained to scrutinise IT systems through the lens of an experienced cybercriminal, identifying vulnerabilities that may be overlooked by others. In their evaluations, they utilise guidelines such as the NCSC ICT-B v2 and the OWASP Top 10 Application Security Risks from 2013 and 2017.
Naturally, the assessment includes traditional black box testing, which aims to penetrate the system without prior knowledge of it, gaining access to its functionality and data. Our application security testing, however, goes further by conducting what is known as grey box testing. In grey box tests, security weaknesses in specific parts of HelloID are sought after, with hackers being informed about the internal workings of the software. Finally, the assessment considers the actions that authorised users can perform within the system. Are they capable of more than they should be? This is crucial, as we know a significant amount of fraud and cybercrime occurs within organisations themselves. Therefore, at HelloID, we assess not just the quality of the ‘front door’ but also the security of the application once someone has legitimately entered.
The tests cover a comprehensive range of potential vulnerabilities, from overly detailed system messages to the presence of cross-site scripting (XSS) vulnerabilities.
Risk analysis
Each potential vulnerability uncovered is assigned a risk rating that helps us in prioritising the issue for resolution. This risk assessment is based on the likelihood of a potential vulnerability being discovered and exploited, and the impact if such exploitation were to occur:
- The likelihood, for example, depends on the complexity of the vulnerability in question. Can the vulnerability be exploited by following a simple set of instructions, or is physical access to the servers required to take advantage of it?
- The impact refers to the extent of potential damage a vulnerability could cause. Naturally, there is a significant difference between a brief interruption of services and a serious data breach.
Low and Medium Risks are reported to us as part of the test findings, after which our experts address them. Any unexpected High Risks are immediately escalated by the testers so that Tools4ever experts can swiftly develop and deploy a solution. Fortunately, such vulnerabilities are rare.
Every test naturally reveals some Low and Medium risks. Technology is constantly evolving, as are the knowledge and tools available to those with malicious intent. This means we are never fully done, and each time we find areas that can be improved. This is the significant value of such a biannual security scan. We remain vigilant and keep the HelloID service fully up-to-date in terms of security.
Want to learn more about this security scan?
We are not allowed to publish the detailed contents of our security scans. However, our customers consistently see their effects in the form of adjustments, enhancements and bug fixes in our regular release notes. Additionally, our account managers are happy to provide more information about our routine security tests.
Tools4ever releases new features and updates for the HelloID software monthly. Would you like to stay informed?