Visma puts a lot of emphasis on providing secure cloud software for accounting, procurement, invoicing, school administration, HRM and financial management. It made us curious what a software vendor actually has to do to keep things secure. What programs and initiatives are out there?
On a global level, there are far more cyber attacks today than there were a few years ago. As a result, it seems almost impossible for organizations to rule out becoming victims of a hack. It is therefore crucial that companies’ critical software solutions are secure, as this puts some of the basics in order. It makes critical data a lot more secure.
In addition, the software must remain working in order to keep businesses running. If a hole in administrative software, for example, is abused, then core business processes could grind to a halt and crucial data could leak.
Visma is aware of that crucial nature, which is why it protects its products “in the best way possible.” We recently heard that from Chief Information Security Officer Visma Benelux Cindy Wubben and Director of Security Espen Johansen.
If we take a closer look at the company Visma, it is good to know that Visma actually consists of many parts. By this we mean that Visma can offer a mix of software solutions because the solutions have often been acquired. Local players built the software, then Visma wanted to adopt it because it fit its vision. Then Visma offers support in terms of innovation and growth, as well as security.
According to Visma, all solutions can become more secure by leveraging the organization. All kinds of security teams are active within Visma, which together must ensure that security is raised to a higher level. The idea is that together, the security experts can do more in terms of security than a Visma company was able to do before the acquisition in terms of security level.
Also listen to our podcast in which we talk to Wubben and Johansen about security.
Ultimately, Visma considers itself responsible for the data it comes into contact with. That can be data that users generate with the software, but also Visma data related to partners, employees and investors. The software vendor wants to provide these groups with information, so together they can become more resilient against cyber attacks.
To this end, Visma wants to optimize the security culture within the organization. This means developers test source code and security is included during acquisition processes. For example, parties that are about to be acquired are assessed for security level.
The security culture is also safeguarded by making every employee aware of the importance of security. After all, you can have very good security experts in-house, but if, for example, a sales or HR employee is careless with passwords or phishing emails, there are still huge risks. Even software developers need to be included into security, because they have to make sure that the code and the core of the software are secure.
Wubben indicates Visma spends 12 million euros on an annual basis on its security programs, excluding personnel costs. To put that in perspective, last year Visma posted more than 600 million euros in quarterly sales.
Application security program
One of the programs that actually drives security is called the Visma Application Security Program (VASP). This program relies on industry standards and best practices. The security program is designed to support everything and achieve the right level of security. An acquired company must implement the security program. The measures an acquired party has already taken are separate from that. Implementing the program within a company that already has high security maturity is often faster.
The goal is to enable the managing director, security officers and everyone else involved to make the best security decisions every day. This is based on data and transparency. The program is risk-based. Depending on the risks of the application, the program can be customized, such as the risks of on-premises or the risks of the type of data.
Much of the security work also goes into building a defense against cyber groups and state hackers based on the latest developments. To accomplish that, deep analysis is constantly being performed. Johansen says this is largely about monitoring the activities of cybercriminals. Based on that, next steps of the hackers can be predicted. “It provides us with a lot of information that we distribute to our companies and services,” Johansen said. Visma also wants to democratize this information, or bring it to the general public. In other words, the information will not remain secret, but should instead make society as a whole more resilient.
Johansen indicates that much of the information simply comes from public sources. As an example, he cites a map of Ukraine with aircraft activity projected on it. You can then clearly see that there is little activity, but there are many dangers in the country. The information gives an indication that there are dangers in this country, which can also be a cyber threat. That makes it input to the cyber landscape.
Bug bounty program
While testing software and building in security mechanisms, following standards and sharing information can go a long way, there are still always chances that bugs in the software will go unnoticed and end up in production. That’s why Visma has established a bug bounty program. With it, it challenges ethical hackers and security researchers to find holes in security. If they find them, they can report them to Visma. Then Visma awards a reward based on the criticality of the bug and tries to come up with a patch as soon as possible. In this way, hackers can be prevented from finding a hole in security rather than the right side.
Visma has compiled a list of requirements for this purpose, to indicate what bug bounty participants should and should not do. A bug that is reported can generally expect a response within two days. The goal is to come up with a solution within 90 days. So far, this method has resulted in more than 500 submitted findings. Of these, Visma accepted about half.
A secure foundation
Secure enterprise software can be achieved, first of all, by making the base secure. That is, the code and core product must be secure. Visma values this by researching and assessing software. It also follows standards to pursue a certain level.
On the other hand, threat intelligence and bug bounty programs are crucial to secure software. Thus, Visma wants to prevent as much as possible the latest attack tactics from successfully attacking enterprise software. Unfortunately, this cannot be completely ruled out, but Visma claims to do everything possible to minimize the chance.
The overall approach therefore ensures that Visma looks at the security of its products with a great deal of confidence. “I think the way we do it really adds a lot of value for ourselves and for our customers,” concludes Wubben.