To ensure both ourselves and our customers that the Thinkwise Platform is secure, our Cybersecurity partners regularly perform pentests. We are happy to share that the pentest performed in Q4 2024 has resulted in 0 High/Medium identified risks (as classified by the OWASP Risk rating methodology). 1 Low risk has been identified on changing the Password policy, for which we would like to provide some guidance below. If you would like to receive a Third Party Memo of the pentest report (it’s in Dutch), please contact your Account Manager.
Use latest Releases
We strongly recommend you keep your Thinkwise Platform up to date with the latest Releases of our products, as these are the most secure versions available. Also make sure to install all available Platform improvements (hotfixes) on a regular basis.
Password policy
By default the Minimal password strength is set to the recommended 5/5 for Users with authentication type IAM. If this is not the case in your environment, we recommend you change it accordingly. Related to changing the Password policy as set in IAM > Settings > Global settings, the pentest did come up with 1 Low risk finding: increasing the Minimal password strength does not automatically force users to change their existing password (which might not comply with the new setting).
To ensure your users use a compliant password, we recommend you set the Expiration policy in IAM > Authorization > Users to Force expired. This will ensure the User needs to change the password on the next login and mitigates the finding from the pentest. Tip: use Multi-select > Mass update to update your User’s settings (make sure Allow change is checked too).
Single Sign-On and Multi-Factor Authentication (MFA)
Single Sign-On (SSO) with an OpenID provider and Multi-Factor Authentication (MFA) are two of the best security measures you can take. SSO allows both a more secure and a more user-friendly means of authentication. And, as revealed in a study by Microsoft, implementing MFA results in an additional 99% risk reduction on unauthorized access. In case you use SSO with an OpenID provider, please make sure to use one of their MFA options too.
For Users with IAM authentication type, use one of our own Two-factor authentication options. From the available options, Password and TOTP token is most secure.
Security Headers
Multiple pentests at customer environments have identified missing Security Header configurations. I would like to stress that these are an important security measure as well, as explained in this earlier blog post:
Stay secure!