Process Monitor successfully passes penetration testing
Stami Digital Process Monitor software successfully passed penetration testing (or pen testing) conducted by an external party. During the test, a cyberattack was simulated to evaluate the security of Process Monitor software. The test will help Stamicarbon’s software team keep their security policies up to date, so they can continue designing software solutions with best security practices in mind.
The test was performed in two stages:
- In the first stage, the test was conducted in black box mode, which means the company did not know application details or authentication credentials
- The second stage took place in grey box mode, with partial knowledge of the details of the application and possession of authentication credentials
The report by the external party summarizes that: “in its current state, the targets are exposed to a LOW risk of compromise. The evaluation was conducted considering two cyber attack’s fundamental aspects: the probability of occurrence of a dangerous event and the potential impact that could insist on the organization, be it an impact on image perceived, compliance, service delivery, or any other financial loss.”
The company’s offensive security identified and tested four risk scenarios and – among other findings – confirmed that the Process Monitor authentication system was solid and well-designed. The Stami Digital software team will continue to have recurring scheduled external and unannounced internal penetration tests. “We can show this result to (potential) customers, and we are keeping on top of it to make sure we don’t have new items and are already planning a new pen test,” said Pascal Ruiter, IT Developer at Stamicarbon.
Continuously updating security knowledge
The Stami Digital software team has several certifications, including Azure Administrator, Azure Developer, Identity and Access Administrator Associate certifications, as well as DevOps Engineer Expert certification. To stay updated on best industry practices, they also completed a cyber security course focusing on OWASP Top 10, the standard that looks at the 10 most critical security risks to web applications and helps developers adopt best practices for producing more secure code.
During the training, the team received information and tips on developing secure software solutions and various vulnerabilities that the software can be exposed to. “It’s important to keep up to date with all possible vulnerabilities when you develop software and how those vulnerabilities can be exploited so that these can be mitigated,” said Jayd Naidoo, Software Developer at Stamicarbon.