“We do not sell the fact that TEEXMA® is secure, we owe it to our customers ». It’s with these words that our IT Director and member of our Security Team presents the security set up within BASSETTI. But how the security is thought?
The IT security is thought from the beginning
Computer security is at the center of our customers’ issues. For this reason, BASSETTI applies the principles of “Security by design”. In other words, security is thought, thoughtful, and anticipated early in the design of the tool and integrated into the heart of the solution. The idea is simple: reduce the attack surface from the specification, and deny some access. BASSETTI relies on several security tools and studies, including the OWASP Top 10. The Open Web Application Security Project (OWASP) is an online community working on the security of web applications. Each year, it publishes its famous “OWASP Top 10”, providing not only good practices but also an inventory of security in the development of web, mobile, IoT (Internet Of Things), etc. this Top 10 has therefore become an essential tool for all the developers at BASSETTI, thus serving as a reference grouping all the common but critical attacks that an application has to cope with.
In a constant effort to improve security, BASSETTI has created its Team Security which gathers people of several services and which is in charge of all aspects of the security of the company, whether of its premises, security tools against the different attacks possible, but also the security of TEEXMA® for our customers.
It is also responsible for the constant training of BASSETTI employees, on best practices in security, and regularly organizes training designed according to their professional profile.
In order to ensure the solidity of its solutions, and in addition to the audits conducted internally, BASSETTI is regularly audited by its own customers or by experts. The tool is subjected to different hacking tests according to several technical levels:
- The so-called “black box” tests: the URL is communicated to the testers who will then try to enter the solution.
- The so-called “grey box” tests: in addition to the URL, the testers are given certain information, including a user account.
- The so-called “white box” tests: they are generally carried out internally at BASSETTI in order to be able to examine the functioning of the solutions as well as their internal structures.
Customer training courses
In order to ensure maximum security of its tools, BASSETTI offers “Security Packs”, and thus supports its customers in a security approach as comprehensive as possible with regard to the different perimeters covered by the TEEXMA® solution. For example, our security experts contact SOCs (Security Operation Centers) when they exist, or the IT Department, to advise them on the best way to monitor log files (files containing all the events executed in the solution, and classified in chronological order) specific to our application, but also on rights management or authentication for example. In this way, the client is autonomous and able to detect any intrusion attempts or unusual requests in their TEEXMA® application(s).
Through the Security Team, BASSETTI has set up a maintenance department dedicated to software security. This is divided into two departments:
- The so-called “reactive” service: composed of an intervention team that will cover a possible incident in order to provide telephone assistance or even to physically assist the operational teams. The latter is responsible for detecting, isolating and attenuating the threat.
- So-called “proactive” service: its role is to ensure awareness of potential vulnerabilities and monitor infrastructures, technologies used, security audits and intrusion tests, vulnerability checks, or even various user comments, for example.