Table of Contents

Security testing

No cloud solution is without risk, so it is essential that customers have an accurate assurance of the level of risk associated with the solution they plan to implement. To provide this, we have undertaken security testing of the Sensei Hub products by CREST certified 3rd party auditors: CyberCX. Full reports and mitigation registers available on request after signed NDA.

September 2023

CyberCX was once again engaged in 2023 to review the SSRS Report Viewer, Sensei Hub and associated Azure cloud architecture.

Consistent with past reviews, no major or moderate security issues were identified. Several low risk and informational findings were detailed in the report, which we will work to address in the near future to align these products with current best practices.

Image shows a letter of attestation from CyberCX regarding the 2023 security review

November 2021

While no major concerns were highlighted in last year's review that required immediate attention, many opportunities for improvement were identified. A significant effort has been made across the year to address as many of these recommendations as were practical. The resulting report detailed below validates this effort, and demonstrates a positive trend in our security posture.

Applicable standards

Consistent with last year's review, our product and service architecture were reviewed against the STRIDE-LM threat model. This ensures a strong overlap with last year's testing efforts, which helps to validate the success of our efforts to address last year's recommendations.

Executive summary

Image shows the 2021 executive summary

Summary of findings

Image shows the 2021 findings

Summary of recommendations

Image shows the 2021 recommendations

November 2020

Sense of Security has this year joined the Cyber CX group of companies, which has necessitated a number of changes in our security testing engagement including the format of resulting report.

Applicable standards

The most important change is the applicable standards by which our solutions are assessed. While previously Sense of Security used an in-house methodology based on standards such as ISO 27001 and ISO 31000, our security review this year has been assessed against the following standards.

"The Azure network architecture was assessed against Microsoft’s STRIDE model. Lockheed Martin augmented the model by adding an additional attack type, Lateral Movement. Intrusion Detection, Vulnerability and Patch Management are additional supporting controls, which span most of the STRIDELM threat categories. The web applications were assessed against the Open Web Application Security Project (OWASP) top 10 standard. This provides a baseline for web application security in protecting both data and information assets."

Risk ratings

Image shows risk ratings

Executive summary

The assessment indicates that the Sensei Hub and Documentation web applications, as well as the Azure environment, have been designed, deployed, and configured alongside threat models and secure development standards. The documentation provided shows a strong commitment to security best practice. Several opportunities for improvement and additional hardening were identified, and if implemented, would strengthen the overall security posture of the web applications and Azure environment.

No critical or new vulnerabilities have been found.

Recommendations have been made for improvements that can be made to further reduce our risk profile and more closely align with current industry best practices. Action will be taken on these recommendations in the next reporting period.

Hub.Sensei.Cloud penetration testing

Image shows the breakdown of the hub penetration test

Docs.Sensei.Cloud penetration testing

Image shows the breakdown of the docs penetration test

Azure architecture review

Action has been taken to address recommendations from last year, however changes to industry best practice and a change in threat model have resulted in our azure architecture receiving a risk score of moderate.

Note that the increase in threat rating since last review is attributable to identified opportunities for closer alignment to best practice and a different set of standards; not an increase in vulnerability.

Image shows the breakdown of the Azure architecture review

In the interest of transparency, the following descriptions are a summary of the risk items contributing to the moderate risk score:

  • Consider implementing a non-rewritable and non-erasable backup solution, whether it be an offline backup or Azure Archive Blob.
  • Develop and document policies that address the following areas:
    • role-based access controls
    • encryption
    • separation of duties

These recommendations do not indicate a lack of equivalent control in place currently, only a deviation from current best practice.

November 2019

Sense of Security was engaged to test the Sensei Hubs product externally via penetration testing and review the architecture internally.

Sensei has demonstrated progress in reducing our risk profile over time through the mitigation of previously highlighted issues.

Web application penetration testing

On a positive note, it was identified that SPS has implemented sound input validation, and high-risk vulnerabilities such as cross-site scripting or SQL injection were not identified during testing. Moreover, the web application servers are only available through the HTTPS protocol. This has reduced the attack surface and the risk.

Image shows the overall risk rating for the 2019 web application penetration testing

Azure architecture review

On a positive note, it was identified that Azure defence in-depth services have been enabled in the SPS environment such as Azure SQL threat detection, Azure activity log as well as encryption at rest (storage and SQL services). By implementing Azure security best practice services, SPS are better equipped to detect, respond and prevent threats to the integrity of the SPS Azure infrastructure.

Image shows the overall risk rating for the 2019 Azure architecture review

November 2018

Web application penetration testing

It was identified that SPS has taken great care in designing the Sensei Hub application, with security being one of the main considerations throughout this process. SOS did not find any critical or high-risk items such as SQL injection, or cross-site scripting. Furthermore, access control issues such as forceful browsing, and parameter tampering that are typically found in new applications are not present. It is evident that SPS have leveraged their framework extensively in the design of the Sensei Hub application. Remediating items addressed in this report will only further increase the overall security of the Sensei Hub application, and improve SPS's security posture

Overall Risk Rating (Weighted Risk Average):

Image shows the overall 2018 risk rating for web application penetration testing

Azure architecture review

It was identified that SPS has implemented a robust and overall secure architecture for the Azure Environment that largely adheres to best practices.

Overall Risk Rating (Weighted Risk Average):

Image shows the overall 2018 risk rating for Azure architecture review

Edit this page