If your enterprise cloud software isn’t boasting about security, you should be worried

Over the last 2 months we have been working on bringing our product up to the standard required by the NZISM.

We have found it’s easy to say that you build software with security in mind. It’s another thing entirely to dig into every service and lock them down. From starting our own internal assessments, to bringing in an external vendor to carry out a full Security and Risk Assessment, this process has consumed our team since early November.

Working off a check list provided by our vendor, we proceeded to lock down text fields, encrypt local files, enforce time outs across the site (fun with Angular), and apply password policies to every field where a customer can change their password.

Along the way we found a stack of surprises such as:

  • Windows Communication Foundation (WCF) has to be specifically configured to support TLS 1.2. If not, it runs TLS 1.0 which is easily crackable.
  •  SQL Server 2014 doesn’t work with TLS 1.2 enabled. This is fixed by applying the latest patch, but I would assume that older versions of SQL don’t support TLS 1.2 either.
  • Securing our own system isn’t enough, we also have to require our customers to run .NET 4.5 which supports TLS 1.2. This would also apply to older browsers that don’t support the standard.

Why don’t cloud applications talk more about security?

After going through this process, we noticed that other companies in our sector don’t make a big deal about the security. It’s one thing to say you use HTTPS and payload encryption, but its something entirely different to dig out the hundreds of little things that add up to big problems. And if you had spent two months of runway to meet a government manual on security, why wouldn’t you shout that as loud as you can?

Related Posts

Year in Review Summary
Insight

2019: Year In Review

It’s been a busy, hugely rewarding year! We can’t wait to see what 2020 brings. Check out our highlights below.

Read More »
Singapore FinTech Festival NZ Innovation Pavilion
Insight

Building our reputation in Singapore and beyond

We were delighted to return to the Singapore FinTech Festival this year, particularly after our experience last year as part of the Global FinTech Hackcelerator programme. This year saw us selected as one of 12 leading New Zealand FinTech companies, invited by the wonderful team at NZTE, to be part of the first ever NZ

Read More »
The AWS Cardboard Village
Insight

Digital Health Week 2019 – our experience

A key highlight of this year’s Hamilton-based HiNZ organised event was being part of the Amazon Web Services (AWS) Experiential Village. The purpose of the village was to present attendees with a fusion of health and technology. This was the first time that primary and community healthcare were a major contributor to the annual HiNZ

Read More »
Sign up and one of our team will be in
touch shortly to start the journey.
By clicking submit, you agree to our terms and conditions.