Frequently Asked Questions
Application security is important in the first place because it ensures that information about you and your customers is protected. Once the integrity and protection of information is not guaranteed, you and your customers may suffer damage. This can be direct financial damage, but also a dent in your company's reputation. In addition, you are legally obliged to adequately secure your applications. This is laid down in the General data protection regulation (GDPR). Is your application hacked and is there a data breach? Then that also serves to be reported .
Many IT departments do not or do not fully protect internal systems because they are thought to be inaccessible to unwanted persons. Also, there is often no or incomplete policy for replacing or updating and updating employee systems. By properly securing the internal corporate network, many attacks can be minimized.
Our security studies can minimize the risk of exploitation of your applications. How much is invested in this is a consideration that only our clients can make. In addition, applications are usually continuously developed, while a security investigation is often a snapshot. That is why we do not issue 'Certified by' statements.
Through one third party statement (Third Party Memorandum, TPM) we can provide limited insight into the design and results of an investigation. To this end, we provide third-party statements with different levels of detail. These documents are only provided to our clients. Third parties can verify the authenticity of a statement with WhiteHats.
Although the law itself does not contain concrete instructions, the government does provide clear guidelines for the security of web applications. The Personal Data Authority, monitor compliance with the General data protection regulation (GDPR) and states:
"The data processing must be appropriately secured."
However, when are security measures "appropriate"? The predecessor of the Dutch Data Protection Authority, the Dutch DPA guidelines published. These guidelines form the connecting link between the legal domain on the one hand and the domain of information security on the other
Dit betekent dat de richtsnoeren in samenhang moeten worden gebruikt met algemeen geaccepteerde beveiligingsstandaarden binnen de praktijk van de informatiebeveiliging, zoals de ICT-beveiligingsrichtlijnen voor webapplicaties van het National Cyber Security Center. These refer to their neighborhood again OWASP which WhiteHats also focuses on.
Those ICT security guidelines are also neatly documented. An overview of the most important guidelines can be found on pages 17 and 18 of part 1. A security test such as WhiteHats performs focuses in particular on points 7, 8 and 9 (the technical aspects of a secure web application) and is therefore an important part of "appropriate security measures".