Municipal engineering firm Ingenieursbureau Amsterdam (IB Amsterdam) recently started working with the Tygron Platform. Floris Harten, Consultant Climate Adaptation and Water at IB Amsterdam, explains: “The City of Amsterdam wants us to integrate the Tygron Platform more into our consulting services so that we can provide faster and more focused advice.” Read more about the project in this blog (https://www.tygron.com/blog/2023/03/01/engineering-office-amsterdam-working-on-heat-stress-simulations/)
IB Amsterdam asked the City of Amsterdam’s ICT-procurement department to ‘purchase’ the Tygron Platform for internal usage. The ICT-procurement department and the City of Amsterdam’s information security officers subsequently conducted a thorough assessment of the Tygron Platform, including from a security perspective.
The department responsible for the City of Amsterdam’s information security says: “The City of Amsterdam has a responsibility to securely protect confidential information about citizens, entrepreneurs, visitors and also certain physical objects against technical failures, theft and loss. Amsterdam therefore imposes strict security requirements on ICT products and ICT suppliers. Suppliers must be able to prove that their information security is in order, and the products they supply must be tested periodically for possible security risks. Needless to say, the City of Amsterdam wants to have insight into these risks and, together with its suppliers, eliminate any risks.”
Ensuring the security of project-related and other types of client data has always been a very high priority for us at Tygron. We are continuously working on this in line with the very latest developments, including using state-of-the-art encryption, firewalls and hashes and performing extensive automated penetration and vulnerability testing. For more details, see: Platform security – Tygron Preview Support Wiki.
However, it soon became clear that the City of Amsterdam requires even more than that. One of the measures it took was to request an independent Pen&Hack test. At Tygron, we embraced the City of Amsterdam’s wants and needs. Onvio, a company specialized in performing penetration tests (https://www.onvio.nl/), was brought in and its ethical hackers set about attempting to penetrate the Tygron Platform’s security.
Over the past months, Onvio has assessed the Tygron Platform from the perspective of an anonymous visitor and a user with a valid but restricted-permission account. This included the use of automated tools and state-of-the-art security approaches such as OWASP and the Penetration Testing Execution Standard (PTES) (see www.pentest-standard.org). Besides the automated tests, far-reaching manual inspections were also performed.
The Pen&Hack test produced the following conclusions:
- There are no issues at server level;
- Everything is in order with respect to restricting users’ rights;
- During the assessment, Customer A was not able to access Customer B’s data;
- The current state of hardening is adequate;
- The current state of patching is adequate;
- At the Low risk level, users of the Tygron Platform can use the API to integrate their own applications. There is room for a number of improvements to the Tygron Platform to increase the security in this respect. Tygron will work on this in the coming months in consultation with users.
Importantly, Onvio did not succeed in penetrating the Tygron Platform’s security. The City of Amsterdam team commented: “As information security specialists, we are pleased that Tygron is shouldering its responsibility for information security, and we would like to see all ICT designers and suppliers do the same in order to ensure secure products and services.”
At Tygron, we expect more public-sector organisations to make higher information-related and ICT security-related demands in the future. Since we regard independent penetration testing as a valuable addition to our security policy, we will make more use of this option in the future.
Feel free to contact us if you are interested in receiving the summary of the Onvio report.