Penetration testing

White box - Black box penetration tests

Penetration testing is where Simployer (or 3rd party professionals working on behalf of Simployer) tries to break into our own systems. The tests is performed to identify weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data.

Penetration testing is mainly done in two ways:

• White box testing - this is where a potential intruder (tester) has prior knowledge and background information about the system.
• Black box testing - this is where a potential intruder (tester) has limited (if any) information about the system.

Simployer performs both white box and black box testing regularly, and we use professional tools to help automate the process.

Sharing of results of penetration tests

Simployer does NOT share detailed results of penetration tests with customers. We do however share detailed results of such tests with our auditors, and the audit report is available for customers.

Mitigations

The best way to avoid that attackers can compromise a system is to mitigate the potential threats before they are exposed.

Aikido security platform

Simployer has implemented Aikido to automate discovery and fixing of vulnerabilities in our source code and external libraries used by Simployer. With Aikido we reduce the potential for introducing vulnerabilities into production environments.

We also use Aikido for real life penetration testing. With Aikido we can find potential breaches in our production environments and mitigate them before they become critical.

3rd party penetration test

Simployer regularly engages professional 3rd parties in penetration testing. Potential findings from such tests are treated with the highest sense of urgency and acted upon according to established incident management routines. The results of the penetration tests are shared with our auditors.

Firewalls

Our professional hosting partners maintain firewalls that protects the Simployer suite of malicious attacks.

Antivirus and malware protection

All servers used to host Simployer are protected by updated antivirus and anti malware by our professional hosting partners.

Load balancer and private endpoints

Endpoints for internal services and data storage are physically separated by virtual network mappings so that internal endpoints are never exposed public. Only endpoints for load balancer and API gateway have public endpoints. SSL offloading is done at the loadbalancer level. SSL offloading is the process of removing the SSL-based encryption from incoming traffic to relieve a web server of the processing burden of decrypting and/or encrypting traffic sent via SSL. The processing is offloaded to a separate device designed specifically for SSL acceleration or SSL termination.

API Gateway

Simployer API's are behind an API gateway that only exposes public endpoints. The gateway handles authentication, security, rate limiting, throttling, transformations, analytics and monitoring.

Hardening

All servers and services that are used to host Simployer are hardened after best practices provided by the manufatorers.

Secure channels and authentication

Simployer does application management over secure and encrypted channels that requires multi factor authentication. All traffic between Simployer and customers are encrypted using TLS V.1.2 or newer.

Training

We train our technical personnel regularly.

Transparency

We are open with any potential threats and issues that might hit the Simployer suite, and we keep our customers up to date on https://status.simployer.com