Case FRENDS: Mission Critical Integration Platform Security Testing
HiQ Finland asked elfGROUP to test the cyber security of its FRENDS integration platform. In this way they got an outsider view of the security level of FRENDS, and a CyberSafe certificate that they plan to use in their customer and product communication to testify to FRENDS suitability for the automation of mission critical business processes and integration of confidential information between IT systems.
This blog describes how security testing was conducted, and what results this process brought to HiQ.
HiQ Finland and FRENDS
HiQ Finland specializes in demanding online business and e-business solutions, process integration and quality assurance. FRENDS is HiQ’s modern hybrid integration platform-as-a-service that enables any integration from managed file transfer to full API management.
Why security testing was important for HiQ
Dozens of leading Finnish and global organizations use FRENDS to automate their mission critical processes, and vast amount of confidential information flows through it.
Asmo Urpilainen, CTO, Director of Product Development, tells that as FRENDS is specifically built for customer data management and critical process automation, information security is naturally very important for the platform and customer implementations, and there is no room for any issues.
In order to get an objective view, HiQ wanted cyber security professionals to test the platform. This would also testify to HiQ’s commitment to information security.
How testing was done
HiQ and elfGROUP started the testing process in August 2019. During the testing, elfGROUP’s cyber security professionals used same methods, tools and tactics that a potential hacker could use to penetrate the system. In addition to user interface testing, special emphasis was put on API interfaces' security testing and on the communication between the platform's architectural layers. It was crucial to know that the system is secure across the architecture, and wherever information is exchanged, no-one could get in between. Teams from HiQ and elfGROUP had close communication during the testing, and when elfGROUP’s cyber security experts found something, findings were told and verified immediately with HiQ’s team. This ensured maximal transfer of knowledge and competence, and when needed, quick bug fixing. As elfGROUP’s cyber security experts had familiarized themselves with FRENDS’ architecture and technology, they were productive from day one. At the same time they were able to create unique attack scenarios specific only to this environment, and tell their findings in context of FRENDS, in a way that software developers were able to understand them and take action accordingly.
According to Asmo, the best part of the process was the co-operation between their development team and elfGROUP’s cyber security experts. HiQ’s team got a feeling that this is not just a business initiative for elfGROUP’s experts, but everyone genuinely wanted to find and solve problems together, and that process was conducted at the terms of HiQ. In addition, clarity during the sales phase and product communication gave Asmo an early certainty about what he is ordering and getting as an end result.
End result from HiQ point of view
Once the system didn’t have any critical or high level vulnerabilities, testing was accepted and elfGROUP granted the CyberSafe Solution certificate to FRENDS. HiQ plans to use the certificate in its customer communication to testify to the high level of information security and company culture that aims to keep customers’ data in safe and the operational reliability maximal also under exceptional circumstances.
Asmo concludes that HiQ Finland aspires to keep the level of information security superb and continue co-operation with elfGROUP. Asmo thinks that this could mean periodical security testing and development of information security also in other operations. Cyber security is not an individual action or document but fundamentally an approach, culture and way of thinking that should cover all activities.
If you are interested to hear more about FRENDS, please contact Asmo Urpilainen (email@example.com).
If you want to discuss about how your software product, digital service, mobile application or IoT device should be security tested and certified, please contact elfGROUP at firstname.lastname@example.org.