Penetration Testing the Panintelligence Dashboard
By Neil Musgrove, Developer (Security) at Panintelligence
We recently received our certificate of security compliance from ECSC which we are delighted with. Having secure BI software is a priority for us and for our customers. We design and code every part of the Panintelligence dashboard with security in mind. That said a ‘belt and braces approach’ is always best in application security. So, we partnered with cyber security experts ECSC. They are the UK's longest running, 'full service' information and cyber security service provider.
One of their first tasks was to conduct a penetration test (or pen test) on our software. A pen test looks for potential vulnerabilities that an attacker could exploit. Having an external organisation perform a proactive pen test on our software adds an additional layer of protection and allows us to get another set of eyes on the software in case there are any issues we've missed. The testing took 5 intense days and went very well, with ECSC only highlighting a few improvements we can make to further secure our software.
The test was conducted in a very collaborative manner which is just the way we like to work. Our software developers learned a lot about tools and methodologies from ECSC's testers. These will be really useful going forward. One of my roles is to analyse the software from a white-box perspective, which involves looking into the code. This gives a different perspective to a pen tester or attacker who comes from a black-box perspective with little knowledge of the internals of the application.
The experience of working alongside the pen tester added a lot to my abilities to discover issues internally before we even get to the point of having a pen test conducted. Our ideal would be to ensure that no issues are ever raised in a pen test, it would mean we are doing our jobs well! There’s always room for improvement though and that’s why we’ll be having an ongoing relationship with ECSC, using their expertise throughout the product life-cycle.