At Tresorit, our goal is to make security simple. Every solution we develop is created to provide you maximum safety and comfort. However, we’re only human – that’s why we check and recheck everything we do and ask others to confirm we haven’t missed anything. We use penetration testing to assure you that our systems are as secure as we claim and help us identify any vulnerabilities we may have missed. We also believe that transparency is a central part of security: read on to learn more about the results of our most recent pen-testing.
In ISO standards, a vulnerability is defined as “a weakness of an asset or group of assets that can be exploited by one or more threats.” In a similar vein, vulnerability management is the process of identifying, assessing, reporting, managing and fixing vulnerabilities that affect the integrity or security of a system. For us at Tresorit, vulnerability management is important for several reasons.
For one, we are a security-focused company and work to help others stay in control of their most sensitive data and files. As a result, many companies and individuals chose to store some of their most valuable or confidential data in our end-to-end encrypted cloud. This means we must constantly adapt to new threats and counteract any new attack vectors in the cybersecurity space.
Furthermore, Tresorit is at its core a software company. We understand that every change we make to our code has the potential to create a vulnerability, so we act accordingly. We follow many secure programming principles and security best-practices to ensure our code remains safe through every update. However, despite all our efforts, it’s best to have a fresh set of eyes check our systems to help us keep all vital information safe. We wrote about our Guarantees for protecting your data in the summer of 2021, when we also promised to share the results of our latest security audit.
Ensuring security: Vulnerability testing at Tresorit
Following from our understanding of the above, we take a three-pronged approach to ensuring the integrity of our codebase:
1. Continuous internal security tests
Our internal security practices are part of our ongoing efforts to ensure all data in Tresorit is safe. Catching flaws in the development phase is a central part of our main development process. However, when a safety-critical element of our code is affected, an extra review is conducted by our dedicated team of security experts. On top of this, we periodically check our apps with the same methods used by third parties. In these cases, we have the advantage of a deep knowledge of how our solutions work and their development, and can surgically test possible attack vectors that could slip through any gaps.
2. External third-party tests
Beyond helping us spot any vulnerabilities we’ve missed, third-party tests also validate our claims regarding the security and privacy of our cloud collaboration tools. Tresorit conducts such tests with trusted partners regularly. For example, we’ve previously worked with Ernst & Young and Computest. In 2021 we again asked Computest to complete penetration testing on our apps.
3. Customer security tests
Enterprises that handle vast amounts of sensitive or confidential data will have unique security requirements – especially if they work in highly regulated industries such as healthcare or law, or simply handle a lot of personal information. In many cases, these organizations will have the deepest possible understanding of their security needs and conduct additional security testing on their own accord. At Tresorit, we view these efforts as an opportunity to grow and improve our compliance tools.
2021 Penetration Testing by Computest
As mentioned above, Computest recently conducted penetration testing of our apps. This review focused on several Tresorit solutions that enable our secure digital workspace, including security assessments of the Tresorit:
- web client
- Android mobile client;
- Windows desktop client;
- and the related infrastructure.
Computest carries out most testing manually with the support of a few automated tools. Any vulnerabilities flagged by these tools are always checked manually to avoid any false positives. Naturally, as we use both static code analysis and automatic checks as part of our development process at Tresorit, we don’t expect these tools to identify many flaws. If a vulnerability is uncovered and confirmed, it will be assigned a severity score according to the Common Vulnerability Scoring System (CVSS). The CVSS is an industry-standard method of capturing the defining characteristics of a vulnerability numerically.
The penetration test results are reassuring. Computest only found two vulnerabilities. One (CVSS: 3.5) was related to a misconfigured security option on the subscription level. As the flaw was found in a defense-in-depth solution, it was not a direct security threat. The other vulnerability (CVSS 6.5) was uncovered in the Tresorit Windows client and allowed an attacker to cause memory issues in the app under very specific conditions. Such an attack could have had an impact on the confidentiality and availability of the client. You can read a more detailed summary of their report here.
What we do to fix uncovered vulnerabilities
Keeping our systems and the data stored in Tresorit secure is always our highest priority. We have an internal SLA in place for any security issue. Based on the issue’s severity, we commit to a target resolution and deployment time. Internally, we define severity based on impact, probability, and ease of exploitation. You can learn more about our Incident management, business continuity, and disaster recovery practices on the Tresorit Knowledge Base.
Naturally, we also ask everyone who uses Tresorit to keep their eyes open and report anything suspicious to our team at security[at]Tresorit.com. You can also write to the same address with any questions connected to the security of our tools.