NL
.jpg?width=2000&height=571&name=Blog%20Safety%20first%20(1).jpg)
Safety first at Incontrol
At Incontrol, we prioritize data security! As part of the PDCA cycle of our ISO27001 certification and as a best practice to safeguard Incontrol's security, we commissioned nSEC/Resilience (an external party) to conduct a penetration test on Incontrol.
The results
During the penetration test, no critical or high-severity findings were identified. The testers were unable to obtain sensitive data or take over the server via the application. This is a very positive outcome that we are proud of.
Medium-severity vulnerabilities
The penetration test resulted in a few medium-severity vulnerabilities (a total of 3). The most relevant findings involved input validation-related vulnerabilities. These included triggering an SSRF payload and the possibility of HTML injection in some input fields. Another finding was the presence of JavaScript sourcemaps.
While these three vulnerabilities are not considered critical, they still pose a risk to the application's security and integrity. It was essential to address these issues to prevent potential exploitation by attackers. In our latest release, these three vulnerabilities have been promptly resolved.
Low-severity vulnerabilities
All other findings were of low severity (7 in total). There is no immediate need to resolve these low-severity findings, but implementing solutions for them will further enhance Incontrol's security. We aim to establish a baseline that instills even greater confidence, so we are planning to address and mitigate these low-severity findings as well.
We are confident in the security of our platform and remain committed to continuously improving our security measures.
For more information on how we protect your data and our information security measures, please visit our information security page.
Frequently asked questions
An SSRF payload is a specific code or data entered by an attacker to exploit a Server-Side Request Forgery vulnerability, tricking the server into sending requests to unwanted or internal locations.
HTML injection is a security vulnerability where an attacker inputs malicious HTML code into a web page, allowing it to be executed in a user's browser.
