Request demo
What is SmartWinnr

What is SmartWinnr

Features

Sales Contest Sales Incentives Sales Coaching Two way AI Role Plays Targeted Learning Gamification

Why SmartWinnr?

Enterprise Ready Customer Success

Services

Implementation Consulting
Solutions

Solutions

Business Functions

Sales Call Center Marketing

Use Cases

Improve Sales Productivity New Hire Onboarding New Product Launch Channel Partner Training Sales Events
Industries

Industries

Industries

Technology Insurance Pharma Medical Devices Senior Living Banking
Resources

Resources

Resources

Case Studies Customer Stories SmartWinnr Help Contest Template Designer Tool

Blogs

Sales Contests Sales Training Gamification All Blogs

Most Popular

Top 20 Sales Contest Names 25 Creative Sales Team Names 23 Sales incentive ideas to keep your sales team motivated Sales Contest Communication Template
Blogs

Table of Contents

Ongoing security assurance

Measuring the right things

Our Approach to Security Testing

Our security testing approach is built around the concept of 'continuous assurance' – that complements a point-in-time penetration test approach.

Bugs are an unavoidable part of the development process - the question is not whether we have bugs, the question is how effectively and quickly we find them and address them. This doesn’t mean we like bugs or aren’t constantly innovating ways to reduce their frequency and severity, but when it comes to software bugs, denial is not an effective approach.

We aim to increase the cost of finding and exploiting vulnerabilities in our products and services - through rapidly identifying and resolving issues we aim to increase the economic cost of finding security bugs. By increasing the cost of exploiting a vulnerability – by making it take longer, require more knowledge and more resources from the bad guys – we reduce their return on investment. If we can reduce it far enough, it becomes prohibitive or not attractive to them.

We support and use industry standards - standardisation in our terminology and approach helps us ensure we’re covering everything, and helps customers understand how to understand what we do. For example, common ratings of vulnerabilities using the Common Vulnerability Scoring System (CVSS) ensures clarity for severity of a particular vulnerability between us and our customers.


Ongoing security assurance

Penetration testing

We do use specialist security consulting firms to complete penetration tests on high risk products and infrastructure on a regular basis.

Testing will focus on a particular threat scenario, such as assuming a compromised instance exists, and testing lateral movement from that starting point.

Vulnerabilities we seek to be identified include common types captured in the Open Web Application Security Project (OWASP) and Web Application Security Consortium (WASC) threat lists. They include:

  • Cross Instance Data Leakage/Access
  • Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • XML External Entity Attacks (XXE)
  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
  • Path/Directory Traversal Issues

Vulnerability reporting

When a vulnerability is identified by one of our users during the course of their standard use of the product (as opposed to being identified through a specific attempt to test the system, which we require to occur via our bug bounty program), we welcome notification via our Support Team. We respond promptly to any vulnerabilities submitted and will keep inquiring parties up to date as we investigate and respond to the issue.

Before disclosing an issue publicly we ask that researchers first request permission from us. SmartWinnr will process requests for public disclosure on a per report basis. Public disclosure requests will only be considered once the reported vulnerability is fixed.


Measuring the right things

When categorizing bugs, we use the Common Vulnerability Scoring System (CVSS version 3), which helps communicate the severity of vulnerabilities to our customers. We attempt to meet the following timeframes for fixing security issues:

  • Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) should be fixed in product within 4 weeks of being reported.
  • High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) should be fixed in product within 6 weeks of being reported.
  • Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) should be fixed in product within 8 weeks of being reported.

These timeframes are re-evaluated on an annual basis and adjusted as needed based on the changing threat environment.