Higson is Secure

MARCIN NOWAK
Blog

The security of Higson is our priority, which is why we periodically ask for security tests from various external penetration testing companies. 

The latest penetration test was performed by Cyber Threat Defense. CT Defense is a CREST Certified Member in Penetration Testing. 

They identified a few potentially vulnerable spots, which we promptly fixed and received confirmation from CT Defense. CT Defense made every effort to perform a thorough and comprehensive analysis and to provide appropriate remedial advice. 

We’ve summarized the test results in this article.

We believe this is a part of our customer deployment services and environment setup for some findings — that’s why we created a security guide with best practices for our users. 

You can find it here: Higson Studio Security Information | Higson.

Penetration Testing

Penetration testing simulates an attack from a malicious hacker to check for potential vulnerabilities to external hacking.

The goal of penetration testing is to assess your software’s security, safeguards, and controls by attempting to breach through your configured defenses. 

By identifying threats and measuring the potential damage they could have to your software, developers are able to find ways to counter the vulnerabilities and prevent them from being exploited. 

Methodology

CT Defence performed the Web Application Security Assessment, which is designed to evaluate the scope, security, and resiliency of Higson’s environments. Understanding the existing vulnerabilities is the first step in remediating and ultimately enhancing Higson’s overall security maturity. 

CT Defence assessed the risk that a real-life, targeted attacker poses to the security of Higson. They tested from both unauthenticated (anonymous) and authenticated angles. 

Unauthenticated testing spots weaknesses that anyone with network connectivity to the Higson environment can exploit. On the other hand, authenticated testing identifies vulnerabilities in the functionality that is only available to authenticated users. 

Since most software solutions offer the majority of their functionality to authenticated users, authenticated testing provides the best insight into the security of the application. 

CT Defence follows a highly-structured methodology that uses a phased approach, consisting of information gathering, testing, verification, and notification. 

List of Identified Vulnerabilities

CT Defense identified a few vulnerabilities that we immediately fixed during their penetration testing. 

  • Administrative account takeover through weak password policy. 
  • Webserver exhaustion with Slow HTTP connections.
  • Client-side Remote Code Execution through Formula Injection.
  • Weak password requirements.
  • Malicious File Upload: Unrestricted Upload of File with dangerous type.
  • Missing Session invalidation after Password Change by Administrator.

Another potential security risk that was flagged during the testing was the use of Vaadin, which is an old Java web framework for building web applications. However, Higson is doing a new studio design in Angular to make the app even more user-friendly and secure.

Remediation Verification

Once we made the necessary updates based on previously-identified findings, CT Defense confirmed that successful remediation had been performed. 

Index
Get a personalized evaluation of Hyperon’s potential for your use case
More stories

Insurance Pricing Automation – Streamlining Rates in Insurance with Business Rules Engines

Business Rules Engines (BREs) automate insurance rate management, enabling dynamic pricing and real-time rate adjustments. This technology increases efficiency, accuracy, and customer satisfaction by responding swiftly to market and regulatory changes.

READ MORE

Low code solutions in business operations

Discover how low code solutions are transforming business operations, enabling rapid application development with minimal coding. This innovative approach accelerates digital transformation, reduces development costs, and empowers non-technical users to contribute to app creation, driving efficiency and agility across industries.

READ MORE

New Realities in Insurance: Leveraging Business Rules Engines for Emerging Challenges

Explore how AI and business rules engines drive profitable growth and innovation in the insurance industry, ensuring market leadership

READ MORE