Brink Software: secure tools for the Dutch construction and infrastructure sector
Much of the built environment in the Netherlands - residential neighborhoods, hospitals, highways, offices, bridges and so on - was once calculated using Brink's Ibis calculation software. Almost all of the fifty largest construction companies in the Netherlands use Ibis calculation software to specify, budget and administer their projects. "So at the top end of the market we are well represented," says manager of product development Ivo Huizinga. "And in addition, we serve a few thousand SME contractors and freelancers in the construction and infrastructure industry." For the latter group, the new DEDDO application was launched last year. With such a large and diverse group of users, the security of the software platform is of the utmost importance.
Taking security to the next level
In the past, cybercrime was primarily focused on large enterprises, but today, SMEs are increasingly being targeted as well. Research last year showed that about three-quarters of smaller businesses have been attacked at some point. "I know that once an attempt was made to break into our systems as well," says Ivo. "Fortunately without success, but you must assume you can be the victim once." So they have always known that security is "super important" to Brink, according to software architect Wema Wuyts. "We also know that we already have a lot of things in place. We are ISO27001-certified and are audited annually on this. Still, we saw that we could tighten up certain aspects of security."
In addition to the annual penetration tests Brink already had done, YieldDD was asked to provide an OWASP training for all developers that dealt with the most common security risks in software.
In fact, we wanted more. To not just react to what comes out of the annual tests, but to embed security much more in our way of working and in the awareness of our developers,"
Ivo explains. That training resulted in a follow-up question to YieldDD: how can you help us take security to the next level?
Opened the front door
The approach taken for this was a so-called code-guided penetration test. This involves not just the breaking in itself, but already opening the front door. "We gave Gerben and Ramon [security specialists from YieldDD] ample access to everything we do here and how we do it, including the source code of our applications," says Wema. Yet the first step in this test does not focus on the code, but on the development teams responsible for the various applications. Based on surveys and interviews, the teams are vetted and a broad picture emerges of where the biggest potential security risks are.
Then the test goes into depth. The security of applications and how they are developed, tested and released is thoroughly examined. Some of this is done in a standardized way, using a checklist and test tools, but testers also rely on their own knowledge, experience and intuition to see how far they can penetrate the applications. Wema recalls how Ramon had found "a special vulnerability" at one point: "He had gone very deep into the code, I could appreciate how far he had gone to see what he could get done. Very special to be able to do that. And the great thing was that Ramon called me immediately to say he had found something, was able to explain very well what he had done and convinced us that we had to do something about it immediately."
A great mirror
Except for an occasional find like this, the test did not reveal any major surprises but mainly confirmed Brink's view of the security of its software. Ivo:
Still, it is very valuable to have that assessed by external specialists who focus only on that. You are held up to a great mirror. Of course, security also has the attention of our own developers, but they are still primarily concerned with developing new functionalities to help our customers,"
The Security Guild
When asked whether YieldDD has indeed been able to help take software security at Brink to the next level, the answer is clear. "Definitely," says Wema. "In any case, new vulnerabilities were uncovered, including prioritization and possible solutions, so we could fix them in a targeted way. We were also able to make the necessary adjustments in our way of working, for example by tightening up the access and rights of our developers." In addition to these more or less one-off measures, Ivo says the biggest gains can be made by making security more "front of mind" in daily work. "We want security to become less dependent on snapshots and fixes after the fact, but ensuring it's secured upfront in everything we do. That revolves around making our developers even more aware of its importance. The OWASP training has already laid a foundation for that, and with the creation of our Security Guild, we want to strengthen that further. In that guild, we have brought together people who find this subject interesting and important and are well versed in it to think, again with YieldDD, about how we can continue to improve our security."