Cybersecurity penetration testing: unqualified endorsement

The expectations of our customers regarding cybersecurity and increasing all the time. And HosPortal is changing rapidly with new features added every few weeks. So periodically we get a third party to come in and see if our system is secure and safe by undertaking a ‘penetration test’: basically we get trained professionals to go to town on a standalone copy of our software to see if they can break something.

The review we completed this month received an unqualified endorsement. In part the endorsement certificate says:

“[we] conducted web application penetration testing…with regards to best practice security standards including Penetration Testing Execution Standard (PTES), Open Source Security Testing Methodology (OSSTM) and Open Web Application Security Protocol (OWASP) Top 10.

We confirm that…there are no issues outstanding.”

To get this unqualified endorsement we had to make only a small number of changes:

1. All files uploaded to our Documents repository are now scanned for viruses. This means we have had to build a workflow to alert users if any file is infected. We also get an alert here at HosPortal so we can ensure our system is safe.

2. We now sanitise all Excel files, to remove the risk that malicious actors put small bits of executable code into Excel formulae.

3. The penetration testing experts had some minor technical suggestions regarding the way our password reset process works. We have implemented those suggestions in full.

We are happy to share the endorsement certificate with customers and potential customers on request.