To optimize the security of our products and services, we have them tested annually by independent, ethical hackers. For this we partner with Onvio, specialist in conducting pen tests. These tests actively look for weak spots. The issues found are then resolved, so that the level of security is continuously enhanced. We spoke with Jasper Weijts, Security Specialist at Onvio, about his experience in this work.
What is ethical hacking?
“For most people, the word hacking evokes negative associations, like someone breaking into your device or system. With ethical hacking, a specialist looks for vulnerabilities in an application or system, for instance, without disclosing them publicly. We call this a pen test. He informs and advises the company, so they can put things in order. You can look at it as asking a burglar to see if your house is secure and where the weak spots are, in order for you to improve your security. Ultimately we help companies get the security of their systems and applications to a higher level.”
You are an Ethical Hacker at Onvio. What does your work look like?
“When we test an application, for example, we start by mapping out functionalities. This could be accompanied by a demo session carried out with the company. Then we look at the traffic that takes place between the user’s browser - in Priva’s case, the user is the grower - and the server at the company (Priva). We intercept that traffic and see if we can influence it. That’s the most intensive part of the pen test.”
What happens after the pen test is finished?
“All of the findings from the test are put in a report. This is developed into a pen test report with a technical section, a risk analysis, and a management summary. This tells technical staff exactly what needs to be changed and gives the management a clear picture of the situation. The client then goes through the report with its own (development) team. Next we meet at the time of delivery to go over the technical portion of the report. If necessary, we explain technical elements and we make our official recommendations, but in the end, it’s up to the client to carry them out. Eventually, we can do a new test, giving new advice based on the initial report and what improvements were made."
For Priva, several cloud applications have recently been subjected to a pen test. A TPM (third party memorandum) has been issued for those applications. These statements indicate that the applications are sufficiently secure. These tests will be repeated on a regular basis. Priva expects more TPM statements for other products and cloud services to come soon.
The digital world is developing at an incredibly rapid pace. How do you keep up with it, in terms of hacking?
“Nowadays there are courses, and even a number of master's programs, that focus on security and hacking. In addition, there are a large number of certification programs that give you practical training in a kind of laboratory setup. It’s important -- both to us and to our clients -- to keep finding new types of vulnerabilities. So we go to that kind of a lab every year to test ourselves, learn new things, and ultimately get the certification.”
New vulnerabilities are being found in software and applications every day -- it never ends. Staying up to date is mainly about keeping up with major developments and innovations. For example, new technologies, like a new type of login mechanism. That also brings new vulnerabilities.
What tips can you give our customers, growers?
“Most of Priva’s customers, growers, have a company in which many processes are automated. That involves a lot of data. It can be stressful for a grower to connect the systems to cloud solutions, such as an app. Because what if someone unauthorized runs off with the crop data? That may be a real fear, but I think the crop data are in fact more secure when you use the cloud and digital services. Growers are very good at cultivating their crop, but often they’re not at home in the security market. For example, as a grower, do you have insight into a risk analysis, do you know what data is being generated, where it is stored and who has access to the data? One tip would be to invest in that.
Some growers are reluctant to store their data in the cloud, because then they don’t know where the data is. Priva eliminates this concern. There are good agreements between Microsoft and Priva when it comes to the stored data and how it is secured. In most cases, this is more secure than local storage. For example, what about a local server with security and backups? These are things that happen automatically in the cloud, since standard safety systems are enabled in that case. This is very advanced and often goes beyond the security measures that you can take on your own.”