Web apps security : testing end users

Security has become an issue for every company. By security, we mean both confidentiality of data and service delivery. Since the General Data Protection Regulation (GDPR) was enforced in March 2018, companies are ever more liable of personal data so that data breaches impact not only their sales and reputation but their budget through the risk of paying fines.

Automated tests through services like Selenium guarantee the overall coherence of applications. Recurring web apps pen-tests relying on Cybrary and others double check vulnerabilities where push systems based on annual fees ensure that the system administrator is informed ahead of time on any new vulnerability and corresponding upgrade.

But what about the end users? Like other pure players, Dokeos offers a SaaS service to its client companies. This means that end-users testing responsibility belongs to the client, not to the provider. However, It would be of good practice that both the client and the provider join their forces to check the weakest link of the chain.

Despite their efforts to upgrade the hardware but also because hardware upgrade is slower than software upgrades, most home Wi-Fi access points continue in 2019 not to offer the same level of security as corporate network deployments.

With the recent trend of Buy Your Own Device policies, most employees commute continuously from home to office and from office to public spaces, increasing the risk of Man In The Middle intrusions and sustainable backdoors accessing the data flow from individual PCs and smartphones.

Social Engineering Toolkits like the TrustedSec one have become the de facto main strategy for phishing passwords and spoof websites or identities. IT teams struggle with this phenomenon and, even more, with the absence of education to security best practices among employees. Workers tend to trust what they see, wherever they are, click and validate most options coming from their electronic device.

The current situation is not comfortable. Laymen's absence of lucidity end up generating risks for their employing company. The solution lies in a mix of acting (scanning, pentesting, Red Team Exercises...) and educating the users to the most critical issues (USB pendrives, unusual behaviours, public hotspots etc).

For this mix of action + education to deliver true security, the client company and the SaaS software provider need to cooperate. The provider offers his knowledge of possible misuses of its software. Where the client company offers its experience of past issues and overall infrastructure risks at stake.

As for any strategy addressing a complex problem, the solution does not lie in a contract, a software, a practice, a methodology or a document. It lies in a creative combination of all and the dedicated collaboration of parties.

That is why when a client asks Dokeos for a security audit, we systematically highlight the necessity of including the end users practice, past history, infrastructure and localisation in the loop.

Want to learn more on Dokeos and security? Contact us !