top of page

Hell, hath no fury like Cyber-Security scorned.

Writer's picture: Creswell CaseyCreswell Casey




🔴

The application that I'm building https://mobeez.com was recently reviewed by my new client's CyberSec team.


They gave me a "Could be Improved" grade.


Not a pass. Not a failure.

A kind of purgatory that hopefully makes me, become a better me.


By sharing this story, I hope you can avoid a similar holding-pattern for any new app that you're wanting to integrate into Microsoft D365 F&O.


Read this for context.

The quick background is that whenever I meet a potential new client, one of the first things we do is to complete a CyberSec review.


Every CyberSec expert wants to find your hidden vulnerability (or ten).

  • It's their job.

  • Like oxygen, they breathe in: Eager new app requests.

  • And breathe out: Potential failures from Potential vulnerabilities.


There's no cure for this malady.

If you want safe apps in your Enterprise, make sure you sync with the CyberSec team. And importantly, understand Security by Design.

  • Expect Attacks.

  • Avoid security through obscurity.

  • Fewest privileges.

And if you're building your own app, consider the OWasp vulnerabilities and SAMM framework.


🟡

So, here's the official stuff that I passed.


  • Do you have a documented access control policy? Yes

  • How often is your access control policy reviewed? Quarterly

  • How often are entitlements evaluated? Quarterly

  • How are access rights adjusted, revoked, or terminated? Automated access control

  • How often is your backup policy reviewed? Half-yearly

  • How long are system backups retained? 6 years

  • How often are system backups performed? Nightly

  • Are your backups encrypted? Yes

  • Is automated validation performed on code before production deployment? Yes

  • Does your policy outline a security development practice? Yes

  • Is code tested in a pre-production environment before production deployment? Yes

  • Are customers notified of significant changes to the product? Yes

  • How often do you review your encryption policy? Annually

  • What method do you use to encrypt data in transit? Https

  • Is data encrypted at rest? Yes by Microsoft Azure SQL

  • How are encryption keys managed? Microsoft Azure Key Vault

  • Do you require complex passwords? Yes

  • Are passwords required to be rotated periodically? Every 2 months

  • Is multi-factor authentication (MFA, 2FA) required to be used when available? Yes

  • Does the password policy require keeping passwords confidential? Yes

  • How often is your information security policy updated? Annually

  • Are background checks performed? Yes

  • Is annual security awareness training conducted for employees? Yes

  • Is role-specific security training performed? Yes

  • Do you have a documented incident response policy? Yes

  • Where can your incident response policy be found? Yes

  • How often is the policy reviewed? Annually

  • Does the incident response policy contain a data classification matrix? Yes

  • Do you have a document privacy policy? Yes

  • Do you collect Personal Health Information (PHI)? No

  • Do you have a documented terms of service policy? Yes

  • How often do you review your terms of service policy? Annually



🟢

After successfully completing the questionnaire, I thought "in like Flynn!"


But then, during the actual demo, the CyberSec overlords found a few things that I could improve. Here's one of them.


The URL to access a Mobeez Business Process Dashboard for D365FO is too simple.


Though it has built-in Mobeez security that validates;

  • Browser IP address is from the client's approved IP address list.

  • URL is valid.

  • User is authenticated with Microsoft domain access.

  • User login ID belongs to the right company.

  • User is authorised to access this specific dashboard/URL.


...CyberSec's perception is that the URL's should be obfuscated to discourage guessing of other dashboard URLs, which can then be probed for vulnerabilities.


I agree.

I should have done this from the start.


So now I've upgraded all Mobeez URLs to use Version 4, GUIDs.

It's the current industry standard and a great step forward.


The new URL looks like this;


It's a lot harder to guess another URL right?


There're about 75,000,000,000,000,000,000 grains of sand on earth compared to the number of GUIDs available: 340,282,366,920,938,463,463,374,607,431,770,000,000


The good news is that my CyberSec approval was granted.

And we're now working on a Pilot project.



If you're having issues, integrating D365 F&O with other applications and need help to jump-start your project, DM me.


Creswell Casey




Comentários

Important Reminder
Copyright 2022 Mobeez Pty Ltd. All rights reserved. All information from Mobeez, is provided "as-is." The information and views expressed in this document, including URL and other Internet Web site references, are current as of the publication or revision date and may change without notice. You bear the risk of using it.


All Mobeez information is provided for informational purposes only and cannot be incorporated within, or attached to, any type of an agreement. This document is not intended to be a service contract, and does not commit Mobeez, its partners, or the customer to any features, capabilities or responsibilities mentioned herein. As used in this document, references to “partner” refer solely to marketing relationships and do not refer to or imply a partnership or any other legal relationship.


The furnishing of this information does not provide you with any legal rights to any intellectual property in any Mobeez product or service. You may copy and use this document for your internal, reference purposes only.

© 2023 by MOBEEZ Pty Ltd  ABN: 27 609 847 305

bottom of page