Hello,
We sometimes get asked how we test eramba against security vulnerabilities, i think is worth i share a bit of what is done and where we stand on this matter:
- We have the same developers for the last 6 years, this guys know eramba pretty much the same way you know your house.
- Being open and serving the security industry we get pretty much immediate feedback when something is not ok. When something is not ok, we fix it as a hotfix. I honestly dont remember well when was the last time we had such situation. Sometimes people report things for old versions, but of course that is not much of a concern if the issue has been fixed.
- Once a year, we hire Payatu (an amazing company if you ask me) to manually review certain parts of the app (authentication, authorisation in particular)
- Every release gets an Acunetix scan. If you ever tried running an automatic scan most likely wont work as you need to disable certain security mechanism built in Cake, otherwise you’ll get 302 errors all the time. I’m attaching the last report for a our release of next week (scans take 3 days aprox to run).
Conclusion:
- We are subject to issues as any other app, but since we are transparent and exposed we get “tested” a pretty often by many different people since we came public.
- Serious issues can derive from “logical” actions (we omit a check, a module is off, etc) … we review those with the team and with the help of Payatu. Scans hardly every find something “interesting”.
If it gives you more confidence, i’m ok to include the Acunetix report on every release, no problem with that i hope is clear ny now we strive for transparency.
Have a good day