After months of hard work on the Visma Application Security Programme (VASP), we achieved a Platinum security status for the latest version of our credit management solution CreditManager in August 2023. This proves that our security meets Visma’s highest security standards. This is obviously an achievement we are incredibly proud of. We talked to our CTO, Tim Blok, about what exactly this security standard means, for both Onguard and our customers, how the process went and what the future plans are.
Security as a demand
When a company becomes part of the Visma family, it also joins the Visma Security Programme, which includes the VASP. With this programme, Visma enables its companies to make security, legal compliance, best practices and training part of their operations.
Tim says: “For our customers, it is of course hugely important that the software works properly. But in addition, for many of our customers it is perhaps even more important that security is in order. After all, they work with sensitive data, such as personal data, on a daily basis. To guarantee data security, we secure not only the software, but the entire infrastructure. With the VASP, we meet the high security requirements every day.”
VASP at a glance
The programme consists of a combination of training, expert guidance for the Development team and advanced security services for software, in this case for CreditManager. A company can achieve four different security levels: Bronze, Silver, Gold or Platinum. There are also certain guidelines for different types of applications.
For instance, cloud software, which handles personal data, must be Gold. Tim: “Based on our and the customer’s needs, threat levels and other business considerations, we chose to set Platinum as our target. This means that our Development team deals with the security of our software on a daily basis. For instance, we conduct periodic penetration tests, which test our security measures to see where there are potential weaknesses that a hacker could exploit. Through regular penetration tests, we identify potential risks that hackers could take advantage of. So we then deliberately try to bypass our own security to expose weaknesses. We also regularly ask third parties to perform these kinds of tests to avoid conflicts of interest. This can be done, for example, by members of Visma’s Red Teams. In the end, of course, we always address the leak to prevent real threats.”
To make working on security interesting for the entire team, the VASP is presented in a gamified, modern user interface. In it, all employees can see the results openly and live in the “Security Maturity Index”, where the target security level versus actual performance can be found in real time. Tim: “If you solve a threat well and quickly, you get fewer penalty points. To achieve Platinum, all known problems must be solved. To remain Platinum, you also have to act very quickly on new threats. So Platinum does not only say something about how good our security is. It also about the time in which we solve security problems. For example, you have to resolve a vulnerability qualified as severe within nine days to be allowed to keep this status.”
Above industry security standards
Achieving Platinum proves that CreditManager’s security is up to scratch. In doing so, this security standard is above the industry standard. Tim: “It means that our security is down to the last detail and that we can quickly ward off threats. Many other software vendors are doing weekly or monthly check-ups, so they don’t do this on a daily basis. In some cases, they don’t even consider security at all. So this really gives us a big advantage over our competitors.”
The future of security
With the programme, security is fully integrated into our operations. Now that we have secured the Platinum security standard, it does not mean that the team can sit back. Tim: “We now have to keep going and keep innovating, because we would obviously like to keep the Platinum status into the future. Developments in the field of security are moving at a fast pace, you have to be on top of that. That is why 2-5% of our capacity is structurally spent on security, so we can keep working on it continuously. We therefore constantly check whether this is sufficient to maintain Platinum and invest more time if this proves necessary.”
The programme has also allowed the team to automate many processes, making the whole development process a lot faster and safer. Tim explains: “We have now standardised a lot. That means that when a developer creates a new piece of code, it runs through our security pipeline. The system then indicates whether the code meets all security requirements or whether an additional check for security is needed. The security system automatically adapts if there are changes, for example if a new vulnerability is discovered, to detect any new danger.”
Tim looks to the future with confidence: “It’s great to see that the VASP is now actually ingrained in our DNA. But we are not just limiting ourselves to this programme, which only focuses on applications. We also want to take our security to an even higher level in other areas this year. We are keeping a close eye on new legislation, for instance in the field of privacy, in order to respond adequately. In doing so, we will continue to invest in software security to keep up with the changes in the world.”