Higson is Secure

MARCIN NOWAK
December 10, 2023
Blog

The security of Higson is our priority, which is why we periodically ask for security tests from various external penetration testing companies. 

The latest penetration test was performed by Cyber Threat Defense. CT Defense is a CREST Certified Member in Penetration Testing. 

They identified a few potentially vulnerable spots, which we promptly fixed and received confirmation from CT Defense. CT Defense made every effort to perform a thorough and comprehensive analysis and to provide appropriate remedial advice. 

We’ve summarized the test results in this article.

We believe this is a part of our customer deployment services and environment setup for some findings — that’s why we created a video tutorialswith best practices for our users. 

You can find it here.

Penetration Testing

Penetration testing simulates an attack from a malicious hacker to check for potential vulnerabilities to external hacking.

The goal of penetration testing is to assess your software’s security, safeguards, and controls by attempting to breach through your configured defenses. 

By identifying threats and measuring the potential damage they could have to your software, developers are able to find ways to counter the vulnerabilities and prevent them from being exploited. 

Methodology

CT Defence performed the Web Application Security Assessment, which is designed to evaluate the scope, security, and resiliency of Higson’s environments. Understanding the existing vulnerabilities is the first step in remediating and ultimately enhancing Higson’s overall security maturity. 

CT Defence assessed the risk that a real-life, targeted attacker poses to the security of Higson. They tested from both unauthenticated (anonymous) and authenticated angles. 

Unauthenticated testing spots weaknesses that anyone with network connectivity to the Higson environment can exploit. On the other hand, authenticated testing identifies vulnerabilities in the functionality that is only available to authenticated users. 

Since most software solutions offer the majority of their functionality to authenticated users, authenticated testing provides the best insight into the security of the application. 

CT Defence follows a highly-structured methodology that uses a phased approach, consisting of information gathering, testing, verification, and notification. 

List of Identified Vulnerabilities

CT Defense identified a few vulnerabilities that we immediately fixed during their penetration testing. 

  • Administrative account takeover through weak password policy. 
  • Webserver exhaustion with Slow HTTP connections.
  • Client-side Remote Code Execution through Formula Injection.
  • Weak password requirements.
  • Malicious File Upload: Unrestricted Upload of File with dangerous type.
  • Missing Session invalidation after Password Change by Administrator.

Another potential security risk that was flagged during the testing was the use of Vaadin, which is an old Java web framework for building web applications. However, Higson is doing a new studio design in Angular to make the app even more user-friendly and secure.

Remediation Verification

Once we made the necessary updates based on previously-identified findings, CT Defense confirmed that successful remediation had been performed. 

Index
Get a personalized evaluation of Higson's potential for your use case
More stories

Underwriting Efficiency with Business Rules: Reducing Manual Processes

Explore how business rules engines are scaling the underwriting process in insurance, enabling faster decisions, improving risk assessment accuracy, and reducing dependency on manual processes.

READ MORE

Decerto with Higson won 3 awards at the prestigious European Insurance Technology Awards 2024!

Higson wins Best Software Provider (Digital Back End) at the European Insurance Technology Awards 2024, highlighting its role in transforming insurance with business rules engine technology.

READ MORE

Understanding Business Rules Engines: Frequently Asked Questions

Uncover answers to the most frequently asked questions about Business Rules Engine (BRE) technology. From implementation and maintenance to benefits and best use cases, learn how BREs can transform business rule management for greater agility and compliance.

READ MORE