As well as running a bug bounty program with Intigriti, we also partnered up with Visma in a virtual live hacking event, 1337UP1121 in November 2021. Over the course of the event, 251 valid vulnerabilities were found including two exceptional ones and two critical ones.
After the success of 1337UP1121, Visma is teaming up with Intigriti for a second live hacking event – 1337UP1122! Kicking off on the 17th November 2022.
Visma is a leader in cloud software solutions in Europe and Latin America, with around one million public and private sector customers. In a state of rapid growth, Visma has over 6,000 developers delivering releases on agile timeframes. Taking a proactive security approach has been central to their security strategy.
Live hacking events offer the chance to perform highly intensive and rigorous checks using a selection of expert hackers. By creating a competitive environment, you can accelerate vulnerability discovery. With this in mind, Visma decided to put their most, in security terms, ‘mature’ assets to the test which in other words mean their most difficult targets.
Maintaining robust security does, however, require continuous attention. Particularly with Visma’s ever expanding and changing portfolio. One of Visma’s key brands is e-conomic, an accounting platform providing financial services to 170,000 Danish companies.
Building off the back of their success in the last live hacking event, Visma decided to put e-conomic at the center of focus for their next event, this time doing it physically, as opposed to a virtual one. The live hacking board for this event can be found here.
We sat down with Ioana, the ‘mother of hackers’, from Visma and Lars Engbork, CEO of e-conomic, to learn a little more about why they’re continuing to run live hacking events and the importance of promoting them across the brands with Visma.
Intigriti: Hi Ioana! It’s been about a year now since our live hacking event with you. How has the Visma security team been getting on after the event’s findings?
Ioana: Hi and thanks for another opportunity to have another live hacking event together.
Last year it was a really successful event with many valuable findings for the teams and products that were part of it. We’ve been doing well – fixed everything that was found and became more secure and confident. We also continued to add new targets in our Bug Bounty scope and launched our Responsible Disclosure program on Intigriti this year. We’ve seen a lot of activity on this program and valuable findings as well.
Intigriti: Why do you think it’s important that Visma continues with live hacking events?
Ioana: Live hacking events are very special and valuable because we always have the chance to invite our best hackers, so the quality of their reports is extremely good. It is important for us to be able to secure our most important assets very fast, and we have seen that live hacking events are very efficient in this sense. I would add that meeting the hackers in person, social events, and having fun together creates an even more special relation with them and strengthens their engagement and our collaboration.
Intigriti: In this event you’ll put your brand, e-conomic, as your focus. Why are you looking to promote hacking events across specific brands within Visma rather than just Visma itself?
Ioana: Visma is a conglomerate composed of many other diverse companies, each and every one is independent and acts on its own. We build and deliver software, and we buy companies that do the same in both the private and public sector and we do this continuously. Security has always been very important for us as a brand and that’s why we built a global security team that helps and assists all these companies to onboard different security services, become more confident and secure, and maintain this standard for Visma as a brand. This is all included in a program that we have developed called Visma Security Program (VSP). We want to give our teams complete independence and trust, but at the same time, assist, and guide them as security experts through different services that we offer in VSP. This has proved to be very efficient.
With 1337UP1122 focusing on e-conomic’s security, we dove a little deeper into what this event will mean to this key brand of Visma. Here from e-conomic is Lars Engbork, CEO of Visma e-conomic.
Intigriti: Why is it that you’ve opted for a physical event rather than virtual this time around? Do you think the physical nature provides some advantages?
Lars: We have opted for a physical event this time, as we have an amazing office right in Copenhagen that we would like to invite the hackers to. Given our journey with security, we look forward to the chance to meet the hackers in real life – both get to know them, but at the same time also show them a bit of who we are and our culture. We also see advantages in being able to collaborate with the hackers in a high bandwidth mode that should hopefully result in more tailored and complex attacks that would be hard to discover in a purely virtual event.
The physical event will of course allow the hackers meet and get to know each other, but it also allows us in e-conomic to finally meet some of our colleagues in Visma who we normally only see online and gives us the perfect excuse to gather the e-conomic security champions from around our various locations to Copenhagen
Intigriti: As an accounting program, e-conomic must be sitting on plenty of sensitive financial data. How will this event bolster the protection of this data?
Lars: The security of our customers’ data is and has always been our utmost priority. This is why we’ve advocated for stronger legislation across the entire industry on this topic.
We look forward to all the findings the hackers will discover , that we until now, haven’t been able to surface ourselves. This event will also help development teams increase their ability to write secure code by becoming more aware of the various techniques to attack an application.
The Live Hack event also models attacks much more realistically, as it’s humans on the other side rather than our security testing automation. This means that the vulnerabilities found are realistic, rather than theoretically based attacks identified through security testing automation.
Intigriti: What are some of the key outcomes for e-conomic that you’re hoping to achieve?
Lars: The Live Hack gives us an opportunity to find and fix vulnerabilities that are not easily found through security testing automation to find, but easier for humans and especially the expert hackers that have been invited for this event. By identifying more vulnerabilities, it is hoped that e-conomic will be better defended against external threats.
We also look forward to building relations with Intigriti and the hackers so when we enter the bug bounty program, we already have a network of hackers who know us well and are eager to continue finding bugs .
Lastly we look forward to having a better understanding of our security posture and being able to improve on it. Security is an ever-evolving field where we need to be vigilant at all times and constantly strive to improve, and this event is a big step for us to improve our security.
Intigriti: Going forward, how are you hoping this event will impact your overall security at e-conomic?
Lars: The immediate benefit is of course to fix and mitigate all of the issues found so both our customers and we can rest easier knowing that their data is secure.
In the long term, we hope to use this to continue the focus we have on improving our security, help educate our developers, and continue our ongoing internal awareness efforts with security.
Follow the live leaderboard here and stay tuned for more updates!