With managed hosting from True you know that the infrastructure of the hosting platform is optimally secured, but does that also apply to the security of your web applications that run on it? With the security audit, True periodically scans your web applications for common security issues.


The challenge of our customers


Technologies are constantly changing and evolving and it is extremely difficult to stay up to date in the volatile world of customer web development. Vulnerabilities are coming out every day and with that, a customer would potentially have to apply patches every day. Is this feasible? Often not. However, it is of particular importance for clients to have insight into the security of its projects and to map out the risks involved. This allows them to incorporate updates/patches and changes into their own sprints to ensure their product is as secure and stable as possible. For both their and their own customers.


Our solution


The security audit consists of a broad mix of automated scans, online investigation of vulnerabilities within the organization and manual attempts to break into systems and environments.

The audits are performed by security engineers with a great deal of technical knowledge and practical experience, including ethical hacking. They are also the ones who have set up our Advanced Security platform based on the learnings they have gained from these security audits, among other things.

We have 3 different choices for customers in which the difference lies on the one hand in the amount of hours we put in and on the other the information that we can glean for them in these hours. These are all “Greybox tests”, which means that we already have insight into the environment, code and further (internal) functioning of the project in advance. So, beforehand, we look at how the different systems work together and this information is used when performing the security scan.


Some nice sales facts:

  • In 48% of the cases, our engineers managed to completely take over the management of the environment.
  • In 76% (!) of the cases, our security engineers had access to personal data. Early notification was made in critical cases.


The result


After performing the security audit, you will receive a research report (Standard & Enterprise variant) or technical report (Lite variant) from True. The results of the audit are carefully interpreted by the researcher, in the case of a standard & enterprise variant, provided with a risk profile and recorded in a report in which we will also discuss the vulnerabilities, risk analyzes and recommendations. The Lite variant contains a technical report of the findings with possible reproductions to reproduce and remedy a vulnerability and is suitable for organizations that already have the necessary knowledge to further understand risks.


Within 1 to 2 months at the latest, we check in a rescan whether the leaks found have been closed. If the leaks have not yet been closed during a rescan, we will contact you to report this. Fixing specific vulnerabilities can be complicated in many cases because they can be contained in the application. Does the customer have difficulty solving a vulnerability? Then True or one of the partners can help them on their way.


Ideal customer profile


When is it interesting? Always. With all the dangers that are the order of the day; with new exploits, vulnerabilities and massive hacks taking place every day, every company would do well to go through this trajectory at least once. The learnings that usually come from these types of reports are very interesting and offer enormous growth opportunities and awareness to all parties involved. So not only the customer but also Broad Horizon and all sister parties can learn a lot from it.


Is the customer looking for a skilled party that can audit their code & environment?
Then we can help.


Is the customer required from a compliance point of view to perform a security audit every [t] for, for example, certifications?
Then we can help.


Does the customer have an environment that stores personal data and does the customer want to be sure that it is all boarded up?
Then we can help.


Does the customer want to be sure in advance that the highest security standards are being observed in connection with the Data Breach Notification Obligation?
Then we can test that further with such a test. By regularly performing a Security Audit on your environment, we can intervene immediately when we identify a data breach. This is an effective part to apply the legislation in the form of AVG (Personal Data Authority).


What type of test should I recommend?

This depends on the type of customer you are helping. If you have any further questions about it yourself, you are always free to contact the responsible persons indicated. They can also advise you on this. You can also assume the following:


— The Greybox “Lite” (16h, no report)
For organizations that do not want to have the entire web environment “hacked” and are mainly looking for the technical bottlenecks. The Greybox Lite audit is a 16-hour investigation where extensive insights are provided to the techies on the customer side. Customer receives a simple report of the findings (finding (technical), risk calculation)


— The Greybox “Standard” (32h, with report)
An extensive investigation in which the security engineer has prior knowledge of the environment and will hack for more than 32 hours. In addition to research into common digital attacks, it is also examined whether there are vulnerabilities when logging in as a user. The results are extensively documented in an advisory report. This is very comprehensive and fully describes the findings (explanation, opportunity, risk, impact, recommendation).


— The Greybox “Enterprise” (48h, with report)
For environments with a very extensive application for which we take plenty of time. Including all extras such as the possibility of advanced phishing campaigns and on-site training from white hat hackers. The latter can be very interesting for further awareness to the customer of the customer. The results of the tests are extensively documented in an advisory report. This is very comprehensive and fully describes the findings (explanation, opportunity, risk, impact, recommendation).


Many free online security scans for websites can be found on the internet. So why should I choose such an expensive security audit from True?
However, free online security scans often only contain a small part of the actual vulnerabilities. The True security audit goes into great depth about security. In addition, no “human interpretation” has been performed on the results of the free scans, which increases the chance of false positives. In addition, free solutions can abuse the results and thereby abuse a data breach, on the other hand, sell vulnerabilities to third parties (they have to derive the income from somewhere).


What is the lead time between requesting a security scan and delivering the report?
The turnaround time for security depends on the wishes and requirements of the client. After conducting the audit, we aim to deliver a report within 1 to 2 weeks.‚Äč


Joop den Hollander
Guido Bruijn