HelloID Security Scan
Performed by: Reputable external cybersecurity firm
HelloID Security Scan
Independent external experts conduct biannual assessments to test and review the security of HelloID. The latest assessment confirmed that HelloID maintains a high level of security. For Tools4ever, these recurring evaluations are essential; they keep us vigilant and drive ongoing improvements in our technology and services. They also provide value to our customers, who can trust that independent experts thoroughly review the HelloID platform every six months. This proactive approach helps us identify and address potential vulnerabilities long before they pose any risk.
Why Work With External 'Ethical Hackers'?
Tools4ever employs a team of in-house security experts who continuously strengthen and test our Identity and Access Management solutions, even attempting internal attacks to uncover potential weaknesses. However, we believe it’s equally important to have an independent party conduct a structured, critical assessment of our systems. External reviews keep us sharp, help eliminate blind spots, and ensure we remain fully accountable for the security of our products.
By working with independent ethical hackers, we have chosen security experts who are both verifiably independent and highly qualified. We seek assurance not only in the quality of the security testing itself, but also in the integrity of those conducting it. Strict selection criteria and high professional standards provide this confidence, ensuring that, as a customer, you can trust that all test results are handled responsibly and never misused.
Scope of the HelloID Security Assessment
The semiannual assessment is not just a paper exercise. The assessment consists of real attempts by professional ethical hackers to attack the system. They are trained to view IT systems through the lens of an experienced cybercriminal and to recognize vulnerabilities that others might overlook. The team uses, among other sources, the NCSC ICT-B v2 guidelines and the OWASP Top 10 Application Security Risks from 2013 and 2017.
Of course, the test includes traditional black box testing. These tests aim to penetrate without prior knowledge of the system and to gain access to functionality and data. In our application security test, the testers go a step further and perform grey-box testing. In a grey-box test, they also look for security weaknesses in specific HelloID components to gain insight into the software's internal workings. Finally, they evaluate the capabilities that authorized users have within the system. Can they do more than intended? This is critical because much fraud and cybercrime occurs within organizations themselves. With HelloID, we not only test the quality of the front door, but we also assess the security of the application once someone is legitimately inside.
The tests cover the full range of potential vulnerabilities, from overly detailed system messages to cross-site scripting (XSS) vulnerabilities.
Risk Analysis
Each identified potential vulnerability receives a risk rating that helps us address the issue with the appropriate priority. This risk assessment is based on the likelihood that a potential vulnerability can be discovered and exploited, and on the impact if it actually occurs:
The likelihood depends, for example, on the complexity of the vulnerability. Can it be exploited by following a simple set of steps, or does it require physical access to the servers?
The impact is the potential extent of the damage a vulnerability can cause. There is an obvious difference between a short service interruption and a serious data breach.
Low- and medium-risk issues are delivered in the test report, after which our experts address them. Any unexpected High risks are escalated immediately by the testers so that Tools4ever experts can develop and deploy a fix right away. Fortunately, such vulnerabilities are rare.
Every test will naturally result in Low and Medium risks. Technology continues to evolve, as do the knowledge and tools available to malicious actors. This means we are never finished, and each cycle we find areas that can be improved further. That is the major added value of a semiannual security scan. We stay sharp and keep the HelloID service fully up to date from a security standpoint.
Want to Know More About This Security Scan?
We are not permitted to publish the detailed contents of our security scans. Our customers do, however, see their effects in the form of changes, improvements, and bug fixes in our regular release notes. In addition, our account managers are happy to share more about our regular security tests.
Tools4ever releases new features and updates for the HelloID software monthly. Would you like to stay informed?
