ClickToSecure Tightens IRIS App

Document management firm taps Cenzic expertise.

Document management company IRIS Group—concerned about growing risks from online attacks and the negative impact an intrusion into its products could have on clients data and their reputations—turned to Cenzic Inc.s ClickToSecure service to ensure the security and stability of its Web-based applications.

IRIS—which is based in Belgium with a stateside office in Delray Beach, Fla., and a development laboratory in France—specializes in document imaging and archiving, particularly for payment processing.

The IRIS ScanChecks application sorts, reads and processes checks, coupons and bills of exchange, among many other document types. The optional e-Archeview module is used to archive images and data and make them accessible to users via the Web.

IRIS counts many banks and financial institutions among its clientele, so the security of its applications is of utmost importance. This security was found to be compromised when a customer discovered it was possible for e-Archeview to leak sensitive information, including user IDs and passwords, said Jasmine Morgan, project manager for the Americas division of IRIS.

The company needed to act, and it needed to act fast. "We wanted to make sure that we were giving [customers] a secure and stable product," said Morgan. "We decided to look for a third party that could help us with that."

IRIS officials investigated other application-level penetration testing solutions, but they ultimately decided that ClickToSecures capabilities best fit their needs and those of their customers.

ClickToSecure, Cenzics professional vulnerability assessment service, provides companies with expert penetration testers, leveraging Cenzics Hailstorm testing tool.

/zimages/4/28571.gifClick here to read eWEEK Labs review of Hailstorm 2.6.

IRIS officials said they chose the service instead of deploying the Hailstorm application in-house because penetration testing was new for them and they wanted to tap Cenzics expertise. They said they also believed that the international coordination required with their French developers would make it difficult to perform the scans in-house.

"With the tools and the product set that Cenzic had to offer [with ClickToSecure], coupled with Cenzics experience and knowledge in this arena, we were comfortable that they were more competent to do a thorough investigation and testing for us," said Morgan.

IRIS officials budgeted $20,000 for the ClickToSecure assessment. Prices will vary according to the number and scope of applications to test, but ClickToSecure pricing starts at $6,000 to test a single application, with additional costs depending on the number of pages to probe, according to Cenzic officials.

The initial ClickToSecure penetration test at IRIS, which started in May, was conducted remotely via the Internet over three days.

According to Morgan, the ClickToSecure scan identified cross-site scripting vulnerabilities, SQL injections and buffer overflows in the e-Archeview application. Cenzic technicians also tested for a slew of other vulnerabilities, including cross-frame scripting and phishing referrers, and looked for any forms not being encrypted via SSL (Secure Sockets Layer).

"We got a very detailed report of what was tested, how they tested it and what was done to exploit the vulnerability, and they gave some remediation tips," said Morgan.

Based on these findings, IRIS developers implemented changes to e-Archeview, and, in August, ClickToSecure service technicians rescanned the application to confirm that the vulnerabilities no longer existed. (The second scan to confirm successful remediation is a standard component of the ClickToSecure service.)

To maintain the security of the application over time, Morgan plans to use Cenzics services any time e-Archeview is modified.

"We need to have this done to put out a product that not only we can be confident in, but that our clients can be confident in as well," said Morgan.

Technical Analyst Andrew Garcia can be reached at

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.