Skip to main content

· 4 min read
Tuomas Tonteri

While planning their information security activites, for example software product companies are at times wondering whether they should order security testing or an audit. Quite often these terms are also used interchangeably, perhaps out of ignorance on the speaker's part. Rather frequently security testing is referred to as an audit.

So, do these terms have any difference? Is a web app compliant with ISO 27001 after two weeks of security testing?

Security model

Security testing is typically investigatory, or exploratory, where the target system is gone through systematically, but the testers' attention is inevitably directed towards the most probable vulnerabilities in the system based on the prior observations made and previous experience of the testers. Software's functionality is tested by using the system and by sending modified and intentionally unexpected or broken requests to it with the aim of causing instability or other unexpected behavior that would reveal exploitable defects in the system's functions or its defences. A varying set of test cases is applied to different sections of the system. Tens of thousands of different requests may be sent per individual function to identify functional borderline cases and dimensions of the security controls. Whatever the approach, security testing can never cover all input variations, branches of functional logic or request sequences.

Of course, it is also not impossible to scope security testing to a very narrow part of the target system, such as logon only. In order to ensure its reliability, specific test cases are defined and precise automation is built to perform testing for good test coverage (logic branching and input boundaries). This can bring significant benefit for the implementation of security regression testing in the future.

In addition to the above-mentioned factors, the scope and coverage of security testing is always limited by the project's scope and the available time frame and workload. The end result is the best possible review of the target system's security in relation to the amount of work used and the scope of testing, for example from the perspective of the user interface and APIs. Target system's security testing can be approached in many different ways, e.g. by testing the software itself, its runtime environment, integrations or the entity's ability to maintain data integrity in exceptional and error situations. Naturally, coincidence also plays a part in the findings that are discovered.

If security testing is a vague and multidimensional term, auditing surely gets the better of it. More established definitions are based on the premise that an audit is typically an external event to determine whether certain criteria is met. Audits are thus a kind of a conformity assessments, in which the key is to reach an unambiguous conclusion. The requirements are either met or not. A security auditing must therefore be an assessment of the fulfillment of security-related criteria. The target of the assessment can be practically anything. In a security audit, for example, the target could be an organization with its operating methods, a company's IT infrastructure, a web service or another information system (ERP, CRM, office apps etc.), software development methods, DevSecOps policies, software architecture and so on. In addition to the subject of the assessment, it is necessary to choose which criteria or framework of requirements to use in the audit. An organization's information security management can be evaluated in accordance with ISO 27001, the activities of development teams with regard to information security by using the OWASP SAMM model or different Secure SDLC models in case cherishing information security throughout the software production process should be emphasized. OWASP's comprehensive Application Security Verification Standard (ASVS) framework provides a broad overview of secure software design, implementation and testing practices.

As with many things, the key is to maintain continuous information security work and systematically proceed with it. It is worthwhile to combine different frameworks, operating models, partners and experts so that the perspective and views are renewed in favor of more diverse and comprehensive outcome. It is often reasonable to combine practical testing and conformity assessments such that the realization of secure design principles is assessed in the architecture and the secure coding results are ensured by testing.

Performing security testing doesn't make the target compliant with e.g. the ISO standard, and passing the ISO audit doesn't make the target secure. Both approaches are needed.

Thus, security testing does not provide absolute answers about system security. The results of an audit indicate whether the selected requirements are met according to the auditor's view. So how could we, let's say ensure corporate information security? Well, at least it's clear that as an industry we still have a lot to develop and learn, but there are already good methods and tools for versatile security work.

· 4 min read
Tuomas Tonteri

Change is the only constant

Since our establishment in 2010 we operated under one limited company. At the beginning of 2020 we arranged the actual customer business under two new companies with the intention to clarify cyber security business and software development & server production business in their own entities. The new subsidiaries' first year brought with it several administrative and organizational renewals, the COVID-19 pandemic and the withdrawal of our biggest software development customer from Finnish subcontracting. This caused a major drop in our turnover and simultaneously the pandemic brought about caution and hesitation in our customers in terms of starting new projects. During 2020 we had to make several temporary lay-offs, which eventually led to a shortage in our staff and demanded major efforts from the remaining personnel in their areas of responsibilities.

However, we got over the most challenging times and we are building the new growth together. The biggest thanks falls to everybody contributing to elfGROUP functions — staff members, partners and of course our amazing customers! Luckily corona has stayed away from us and the industry itself manages just fine also by working remotely.

Cyber Security CUBE

We have continued the development of Cyber Security CUBE -product and -platform. Business Finland granted us funding to the project. Many significant functionalities for supporting information security testing, information security administration and software assurance were advanced in the project phase in 2020-2021. More about this soon (yes I know, a year ago I wrote that contents of the new website will be ready soon, and only now I am writing the next blog posting!).

Year 2021 came afterall

elfGROUP's second "corona year" has run smoothly but also with challenges.

In spring we participated in Cyber Security Executive 2021 -remote happening with our virtual booth. It was an interesting experience, but in my opinion the real exhibition with actual face-to-face encounters and conversations with people works better. We also took part in an internationalization project and among other things the negotiations around CUBE platform co-operation with German companies are ongoing.

Managing quality (ISO 9001) and information security (ISO 27001)

In May, the auditors of Bureau Veritas performed another periodic audit to elfGROUP corporate's ISO 9001 and 27001 certifications. We will continue in the midst and despite of all the changes to maintain quality management and information secure operations.

Recruits

In spring we also started recruiting, skilled and experienced workers are really hard and challenging to find, and for some part the search continues. Reijo, who is widely experienced in security technology, came to strengthen our sales team and later in spring we got three great "aces" to the elfGROUP team when Sanna, Santeri and Salla came along. With these recruits we strengthened our skills in information security testing, quality management, administration and communications operations and our entire response readiness. And I must say these areas have proceeded well in many frontiers. Welcome to the elf gang and thanks for the trust!

Looking forward

Now we are in the situation, where our autumn's project calendar looks dazzlingly full with many versatile assignments. It is great and it tells us that companies of all sizes are putting effort to developing information security. I personally believe it also means that our chosen way to listen to our clients' needs and showing the strong skills in information security and carefully finished results in every interactive situations has been the right way for us. We are actively seeking for growth and searching for partners who share the same values in their operations.

After a short pause we decided to bring the Finnish website back and now we have published the entire site also in Finnish. When it comes to blogs we will most likely keep the hybrid model, and the content will be published with discretion in both languages.

Wishing you sunny autumn days!

Best regards, Tuomas.

· 2 min read
Tuomas Tonteri

Welcome to the refreshed elfGROUP web site.

We have been using HubSpot for the past few years as a CRM platform, marketing automation tool and a website hosting platform. Few months back we made the decision to transition to a more lightweight, customizable, performant and secure approach, which we are also hosting on our own elfCLOUD servers. The site is built with Docusaurus and allows us to do flexible and straightforward updates, focusing on the content quality.

As we go live today, not all of the content is yet migrated. We are not just copying the old content, but updating and improving it in many ways. Most essentially selected blogs, customer cases and references are yet to be migrated, which we hope to complete still in September.

One noticeable change is that we've dropped the Finnish version and a lot of the cyber security articles and pages that were more targeted to "B2B general public" audience, with perhaps less cyber security domain knowledge. We have come to realize, that our customer segment is very well informed on the subject matter and we want to direct all of our energy to providing accurate and to-the-point information that all of you deserve and expect from us.

Welcome to the new site and let us know if you have any thoughts or comments on the changes made and how can we further improve.

Circumstances considered, have a great remaining 2020 and stay safe.

Best regards, Tuomas.

· 3 min read
Tuomas Tonteri
Case FCG Talent

Case FCG Talent: Reassurance to Cyber Security in Cooperation with Cyber Security Specialists

FCG Talent is a Finnish company that develops modern, innovative and user-friendly software solutions for recruitment, HR data management and personnel introduction and development. Their best-known product is the Kuntarekry.fi service, a recruitment portal used by nearly every municipality in Finland, with almost 2 million users. Technology Manager Petri Tuomaala from FCG Talent describes information security as one of the pivotal factors in their products and processes.

FCG Talent looked for an external actor to examine their R&D operations and the level of their information security. According to Mr. Tuomaala, internal processes can be developed to a certain point in-house, but to get to the next level, external opinion and specialists are needed for an out-of-the-box view.

“Paying attention to information security is important in software development and demands continuous attentiveness. This cooperation with elfGROUP gives us reassurance and cyber security specialist view – that’s what we are willing to pay for,” Mr. Tuomaala states.

The cooperation has had flexible ways of working from the beginning. Service and help have been available in agile manner, responding quickly to service requests. Real-time communication and reporting without delay enable reacting to all possible findings immediately.

Comprehensive cyber security work ahead

FCG Talent has been in cooperation with elfGROUP since spring 2018. They have a continuous, monthly-based contract on cyber security work that concentrates on improving cyber security in a topical matter each month. Within the monthly work, elfATTACK cyber security testing has been carried out to FCG Talent’s all products, including their different user interfaces and user roles. Continuously developing software demands continuous cyber security work, where this monthly cooperation fits in perfectly.

The cooperation that has lasted already for 1.5 years, has advanced from cyber security testing to more comprehensive cyber security awareness. Lately, the work has concentrated on developing FCG Talent’s R&D processes and ways of working. The OWASP ASVS analysis has been carried out to support this work, to find the next steps that lead the information security work forward. Tuomaala envisions that in the future the cooperation concentrates more on functional specifications.

“Cyber security assurance taking place afterwards isn’t the most efficient way of operating. In the future, our objective is to develop this cooperation to affect our processes on a deeper level and thereby improve paying attention to cyber security aspects in as early stage as possible,” Tuomaala explains.

R&D that considers cyber security aspects from the beginning is both cost-effective and time-saving, when corrective rounds are not needed for software that is ready for launch, but instead the information security has been part of every stage of the development work and in all layers of the software architecture. Cyber secure software products are ready for market quickly, and the time-consuming corrective rounds won’t delay the profitability of the software.

· 3 min read
Tuomas Tonteri
elfGROUP accomplished ISO 27001 Information Security Management System (ISMS) certification

elfGROUP accomplished ISO 27001 Information Security Management System (ISMS) certification

elfGROUP’s all operations have been certified according to the internationally recognised information security management system standard ISO 27001. Bureau Veritas has audited our operations and granted us the certification on July 3rd, 2019. We announced our ISO 9001 news this April, and now our certification portfolio includes also the information security management certification. The certification audit was a thorough process for the whole company. The audit was carried out for both the ISO 9001 quality management system and the ISO 27001 information security management system at the same time.

Persistent work to achieve the certifications

For several years now, we’ve carried out internal development activities with process and quality control improvements, as well as creating an operational handbook that documents and aligns all elfGROUP’s practices. Developing and implementing work instructions, policies and guidelines to standardize our internal procedures and our way of fulfilling different assignments has formed a big part of the development work that our COO Katja Tonteri has lead. Throughout the years it has been important and rewarding to see these policies come alive and become an integral part of our daily work.

The ISO standard conformity has required a lot of documenting of our procedures and events. Also many of the already existing administrative and technical information security practices we had to put in writing and ensure that the defined way is consistently practised. We have experienced this development as a positive improvement – although documentation and all this formality brings along some extra work, it’s definitely worth the effort. For example, defining and actually following your risk management process, or specifying organizational roles, are often easily left undone in a small company. However, according to my experience with elfGROUP’s small organization of 15 people, such standards driven management system is a solid foundation for developing the company and the business. The standardized framework is very comprehensive and is well suited to many different industries.

For sure, the audit wasn’t just a documentation exercise. elfGROUP’s chief information security officer and senior cyber security specialist Markus Hamara and IT manager Edward Shornock got to, amongst other things, showcase our readiness for a disaster recovery of critical IT systems in a simulated situationwhere the primary data center would not be available at all.

Fluent cooperation

This development work hasn’t been done in isolation, although information security work is often surrounded by a veil of secrecy. Already for a long time we have worked in cooperation with Oulu Business Networks’ (OBN) quality, process and business development specialists. Also, the cooperation with Bureau Veritas during the audit process was very fluent. I’d like to take this opportunity to thank all our cooperation partners who have supported us and especially elfGROUP’s personnel for their continued commitment in the quality and information security focused operations in our everyday work.

We have already received positive feedback from few of our customers concerning the certification news. The certifications build up credibility in our operations and in the confidentiality statements we provide our customers with. I believe that all the experience and know-how accumulated from this development work will contribute to our cyber security excellence and will directly benefit also our customers.

See our ISO 27001 certificate here.

· One min read
Tuomas Tonteri
elfGROUP is certified with the ISO 9001

elfGROUP is certified with ISO 9001

elfGROUP’s operations have been certified according to the internationally recognised quality management system ISO 9001:2015. Bureau Veritas has audited our operations and granted us the ISO 9001 certification on April 12th, 2019.

The ISO 9001 standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer’s requirements, and that quality is consistently improved. It is based on quality management principles, such as customer focus, process approach and fact-based decision making, to name a few.

See our ISO 9001 certificate here.