Higson is Secure

MARCIN NOWAK
Blog

The security of Higson is our priority, which is why we periodically ask for security tests from various external penetration testing companies. 

The latest penetration test was performed by Cyber Threat Defense. CT Defense is a CREST Certified Member in Penetration Testing. 

They identified a few potentially vulnerable spots, which we promptly fixed and received confirmation from CT Defense. CT Defense made every effort to perform a thorough and comprehensive analysis and to provide appropriate remedial advice. 

We’ve summarized the test results in this article.

We believe this is a part of our customer deployment services and environment setup for some findings — that’s why we created a security guide with best practices for our users. 

You can find it here: Higson Studio Security Information | Higson.

Penetration Testing

Penetration testing simulates an attack from a malicious hacker to check for potential vulnerabilities to external hacking.

The goal of penetration testing is to assess your software’s security, safeguards, and controls by attempting to breach through your configured defenses. 

By identifying threats and measuring the potential damage they could have to your software, developers are able to find ways to counter the vulnerabilities and prevent them from being exploited. 

Methodology

CT Defence performed the Web Application Security Assessment, which is designed to evaluate the scope, security, and resiliency of Higson’s environments. Understanding the existing vulnerabilities is the first step in remediating and ultimately enhancing Higson’s overall security maturity. 

CT Defence assessed the risk that a real-life, targeted attacker poses to the security of Higson. They tested from both unauthenticated (anonymous) and authenticated angles. 

Unauthenticated testing spots weaknesses that anyone with network connectivity to the Higson environment can exploit. On the other hand, authenticated testing identifies vulnerabilities in the functionality that is only available to authenticated users. 

Since most software solutions offer the majority of their functionality to authenticated users, authenticated testing provides the best insight into the security of the application. 

CT Defence follows a highly-structured methodology that uses a phased approach, consisting of information gathering, testing, verification, and notification. 

List of Identified Vulnerabilities

CT Defense identified a few vulnerabilities that we immediately fixed during their penetration testing. 

  • Administrative account takeover through weak password policy. 
  • Webserver exhaustion with Slow HTTP connections.
  • Client-side Remote Code Execution through Formula Injection.
  • Weak password requirements.
  • Malicious File Upload: Unrestricted Upload of File with dangerous type.
  • Missing Session invalidation after Password Change by Administrator.

Another potential security risk that was flagged during the testing was the use of Vaadin, which is an old Java web framework for building web applications. However, Higson is doing a new studio design in Angular to make the app even more user-friendly and secure.

Remediation Verification

Once we made the necessary updates based on previously-identified findings, CT Defense confirmed that successful remediation had been performed. 

Index
Get a personalized evaluation of Higson's potential for your use case
More stories

Streamlining Payroll Management: Innovative Approaches and Technology Integration

Revolutionize payroll with innovative tech! Explore cloud solutions, automation, AI, and rule engines like Higson for accuracy and efficiency.

READ MORE

Optimizing Supply Chain Decisions: Rule Engines for Enhanced Inventory Management

Integrate rule engines, data analytics & IoT for optimized inventory management. Leverage real-time insights for automated decision-making to enhance efficiency.

READ MORE

Enhancing Fraud Detection in Banking with Rule-Based Decision Engines

Enhance your fraud detection with the combination of machine learning, AI, and rules engines. Save your money and protect your clients efficiently.

READ MORE