In 2009 Ibuildings performed a Security Audit at Yunoo. In 2008 Yunoo was already labelled as a promising Dutch Banking 2.0 initiative. Willem Spruijt and Martijn de Kuijper, both programmer and co-founder, explain how Yunoo came into existence.
High demands on safety
“Like many Web 2.0 applications, we started a private beta version of the site. A small group of users got the teething troubles out of it this way. However, you clearly noticed that this group likes to participate in something new and are therefore a little less critical when it comes to security, for example,” says Willem. “We were very well aware of this.
“Because the concept stands or falls with the confidence of the general public, safety was our biggest challenge before we went ‘live’,” Martijn explains. “After all, personal financial data forms the basis of the site and they are very sensitive to privacy. The user must have absolute confidence that all the data he enters is safe and not accessible to third parties. We therefore do everything we can to secure the application optimally and to convince users of that. For example, we work with the same security protocols as banks”.
External security audit
Martijn: “What we have also done to further underpin our credibility in the outside world is a security audit by an external party. Willem adds: “We weren’t just looking for a partner who could get the job done. We wanted more: a partner who is known as a specialist and who has the confidence of the market. We built our site in PHP and therefore soon ended up at Ibuildings. We found out that “If Ibuildings says it’s safe, then it’s right” and that’s exactly what we were looking for.
Reporting, presentation and workshop
The collaboration with Ibuildings went smoothly from start to finish. Willem: “Already in the first conversation we noticed that the account manager was technically well versed; that was very nice. When we carried out the audit, we really got the feeling that they were thinking along with us. First, the consultant visited us on location to take a look behind the scenes and talk to us as programmers of the site. Then Ibuildings went for remote testing. They incorporated all findings and recommendations in a report, but that was not the end of it. A presentation and a very practical and interactive workshop followed”.
‘Hack it yourself’
“I especially liked the feedback.” Martijn agrees. “We went through the total list of actions and discussed the priority. The last part of the presentation was a workshop with the theme ‘Hack it yourself’. We literally plunged into the system together to see where it didn’t sit well all the time. In addition to a good technical control, Ibuildings also gave a lot of useful and practical tips. It’s great that they really thought along with us.”
New features, new audits
“A security audit is a must for all starting Web 2.0 applications”, says Willem. “Of course, this audit is a snapshot. We realize that it doesn’t stop here. We are expanding with new features and these should also be included in the audit in the future. We are also thinking about other audits, such as an architecture audit or a performance audit. But before that, we want to be a bit more advanced and have a bit more body”.