Cyber-attacks are a threat to all companies and sectors. In light of the growing importance of this issue, we are now being regularly audited by external specialists. Today, we would like to tell you about the last series of security audits conducted by Orange Cyberdéfense.
Orange Cyberdéfense: Three audits between March and August 2022
Our platforms have been thoroughly analyzed by the teams from Orange Cyberdéfense. In fact, we’ve had three audits in the past six months.
March 2022: Audit #1
In March 2022, the first audit was conducted to test the strength of the authentication system, vertical partitioning, and anti-XSS filtering measures.* In other words, its purpose was to answer these three questions:
● Can a user who doesn’t have an account sign in?
● Can a user who has an account achieve or expand their admin access?
●Can a user who has an account trick other users through phishing techniques?
This first audit identified a flaw in the anti-XSS filter, which was then repaired in less than 24 hours. In addition to this issue, which was purely technical in nature, our teams realized that the admin role for various projects was too widely dispersed and that there was not enough oversight or maintenance. In coordination with the different project leaders, steps were taken to clean up admin-access rights and prevent future issues.
The audit also shed light on the many actions that had been implemented since the start of the process: “The tests showed that security best practices were applied within the scope examined by the audit.” Excerpt from the Cyberdéfense Audit Report.
April 2022: Audit #2
The second audit began in April 2022. This time, the goal was to test the platform’s anti-SQL protections*. A flaw was identified in one of the 50 applications (Assistance app). This problem was corrected within 24 hours after it was detected.
At the same time, a 360-degree test revealed a number of positive security findings:
● Low service exposure: The server only exposes the services its needs to operate, thereby reducing the scope of the attack.
● Encrypted communications: Communications between the client and server are encrypted with help from a robust protocol that protects the integrity and confidentiality of the data exchanged.
● Vertical partitioning: Because no vertical partitioning problems were identified, users cannot expand their access rights.
● Session cookies: Main session cookies, which are used to grant privileges to authenticated users, are configured based on security best practices.
August 2022: Audit #3
In the summer of 2022, Orange Cyberdéfense carried out its third audit aimed at assessing the technical security measures protecting our platforms. This time, it was our source codes that were in the hot seat. Three minor SQL injection flaws were identified, as well as a few weaknesses in the access right checking process used in some non-critical applications. These flaws were repaired in 72 hours.
This last audit also resulted in the approval of a number of technical choices that helped make the platform highly secure:
● The use of robust frameworks
● Effective authentication mechanisms
● A smaller attack surface without user accounts.
Open Digital Education: Nine audits since its founding
Since 2014, our platforms have had nine security audits. Orange Cyberdéfense is not the first agency to examine our VLE with a fine-tooth comb. Each of these audits resulted in recommendations, and we made it a point of pride to implement them as soon as possible. Cyber-attacks are now a part of everyday life for digital companies. In fact, Orange Cyberdéfense experienced a data breach last September. To anticipate these risks and react quickly and effectively, we have employed an expert, the Personal Data Protection Auditor. In light of these growing risks, these measures help provide our users with a constant and high level of protection.