2023 Pentest results & our approach to codebase integrity

2023 Pentest results & our approach to codebase integrity

At Tresorit we’ve built every solution with your safety in mind. But we understand the importance of ongoing verification. That’s why regular penetration testing is part of our strategy. It validates our system’s security claims and helps uncover any overlooked vulnerabilities. Join us in embracing transparent security as we celebrate the findings from our recent testing efforts: no vulnerabilities found.

For us at Tresorit, vulnerability management is important for several reasons. For one, we are a security-focused company and work to help others stay in control of their most sensitive data and files. As a result, many companies and individuals chose to store some of their most valuable or confidential data in our end-to-end encrypted cloud. This means we must constantly adapt to new threats and counteract any new attack vectors in the cybersecurity space.

Furthermore, Tresorit is at its core a software company. We understand that every change we make to our code has the potential to create a vulnerability, so we act accordingly. We follow many secure programming principles and security best-practices to ensure our code remains safe through every update. However, despite all our efforts, it’s best to have a fresh set of eyes check our systems to help us keep all vital information safe. We wrote about our Guarantees for protecting your data in the summer of 2021, when we also promised to share the results of our latest security audit.

2023 Penetration Testing by CCLab

CCLab recently conducted penetration testing of our apps. This review focused on several Tresorit components that enable our secure digital workspace, including security assessments of the Tresorit:

  • cryptography and key management implementations,
  • secure network communications,
  • cryptographic components of the Windows application,
  • and the related components.

CCLab used a test methodology based on Common Criteria, where identified all potential vulnerabilities  based  on  the  Tresorit  Core  Interface  v5.0  documents, publicly available information and the evaluators’ expertise.  If a vulnerability is uncovered and confirmed, it will be assigned a severity score according to the Common Vulnerability Scoring System (CVSS). The CVSS is an industry-standard method of capturing the defining characteristics of a vulnerability numerically.

The penetration test results are quite reassuring. Not a single vulnerability was found! This confirms once again that we are right on target with our zero-knowledge approach and its implementation.  You can read a more detailed summary of their report here.

Our codebase-integrity approach

In general we take a three-pronged approach to ensuring the integrity of our codebase:

1. Continuous internal security tests
Our internal security practices are part of our ongoing efforts to ensure all data in Tresorit is safe. Catching flaws in the development phase is a central part of our main development process. However, when a safety-critical element of our code is affected, an extra review is conducted by our dedicated team of security experts. On top of this, we periodically check our apps with the same methods used by third parties. In these cases, we have the advantage of a deep knowledge of how our solutions work and their development, and can surgically test possible attack vectors that could slip through any gaps.

2. External third-party tests
Beyond helping us spot any vulnerabilities we’ve missed, third-party tests also validate our claims regarding the security and privacy of our cloud collaboration tools. Tresorit conducts such tests with trusted partners regularly. For example, we’ve previously worked with Ernst & Young and Computest. In 2021 we asked Computest to complete penetration testing on our apps.

3. Customer security tests
Enterprises that handle vast amounts of sensitive or confidential data will have unique security requirements — especially if they work in highly regulated industries such as healthcare or law, or simply handle a lot of personal information. In many cases, these organizations will have the deepest possible understanding of their security needs and conduct additional security testing on their own accord. At Tresorit, we view these efforts as an opportunity to grow and improve our compliance tools.

What we do to fix uncovered vulnerabilities

Keeping our systems and the data stored in Tresorit secure is always our highest priority. We have an internal SLA in place for any security issue. Based on the issue’s severity, we commit to a target resolution and deployment time. Internally, we define severity based on impact, probability, and ease of exploitation. You can learn more about our Incident management, business continuity, and disaster recovery practices on the Tresorit Knowledge Base.

Naturally, we also ask everyone who uses Tresorit to keep their eyes open and report anything suspicious to our team at security[at]tresorit.com. You can also write to the same address with any questions connected to the security of our tools.