Any organization using the Dutch Digital Personal Identification Number (DigiD) is required to conduct an annual pentest for compliance. Cyver conducts these pentests in collaboration with our compliance partners. This allows us to conduct pentests as part of a larger DigiD compliance audit, with our tests verifying results from the compliance partner, and vice versa. We also conduct independent DigiD pentests for organizations looking for pentesting to take to their compliance organization.
The 2021 DigiD Season: Common Vulnerabilities and Issues
For the 2021 season, Cyver helped 25 different organizations with DigiD compliance. These included hospitals, clinics, non-medical organizations like local government and city hall, and a few DigiD software developers. During testing, we found a few commonly recurring issues.
In 2021, DigiD compliance changed to require Logius DigiD Standards Framework v2.0. The largest shift here is that contact security (CSP) policies are now a strict part of compliance. This also means that this was the most common issue, because organizations were not accustomed to resolving those issues, could not solve the issues in time, or possibly couldn’t resolve them because of how their software was built. In the latter case, we look for mitigation measures, like web application firewall settings.
Inline Headers – Many websites still use in-line JavaScript and CSS in the headers. Setting correct CSP policy means you cannot use inline JavaScript. A valid JavaScript source for a CSP compliant header would be: ” script-src ‘self’ js.example.com;”, which limits the source, including host and port. Blocking inline script and script execution is a huge advantage to security, and you can learn more about how to do it here.
No CSP Policy – Many of our clients still had no CSP policy in place. In a normal pentest, we would simply flag this as an information item, which you should be aware of. CSP is a valuable risk-mitigation strategy. However, it’s required for DigiD compliance, and we will flag it as a vulnerability. For example, if you have a real vulnerability to a JavaScript injection, then your CSP policy would help to mitigate that. (NICE!)
TLS and SSL Implementation – DigiD requires all users to be on 1.2 or higher. Nearly everyone is on 1.2. However, as 1.3 is already rolling out, it’s important to upgrade to maintain security and compliance for next year. TLS 1.3 also offers several improvements over earlier versions, such as faster TLS handshake and simpler, more secure cipher suites.
Wildcards – many organizations implementing external links for JavaScript, videos, etc., use wildcards. The * in a link simplifies adding links, because it means anything from that source is passable. However, this is bad for security because an attacker can abuse it. We recommend removing wildcards in favor of direct links for better security.
Access Rights – Most DigiD applications allow anyone with a DigiD to sign into their application. This can be a security problem. Instead, you should consider limiting sign-in to individuals who should have access. For example, hospitals should limit access to individuals with a Patient ID and local governments should limit access by postcode. This reduces the number of people who can access the account and limits access to the application.
We also commonly see configuration and consistency issues, such as strict security headers not being set to the full site, etc.
What is the DigiD Pentest?
The DigiD pentest is similar to the OWASP Top 10, but primarily focuses on compliance and configuration issues, rather than hardware. DigiD pentesting checks to see if you meet the standards set in the Logius DigiD Standards Framework V2. It’s necessary for any organization that whishes to implement and use DigiD to handle personal or medical records.
We offer three primary types of DigiD pentesting:
- DigiD Compliance Testing – We test your application and configurations for DigiD compliance, as part of a larger DigiD compliance audit. DigiD software is already tested as a standard, which means that we mostly focus on your configuration and setup.
- DigiD Application Testing – We test DigiD applications from software developers. This is a more in-depth assessment, looking at code, environment security, etc. All DigiD developers are required to pentest applications before delivering to clients.
- DigiD New Installation Testing / Pre-assessment – We can conduct a pre-assessment pentest on new DigiD installations to ensure that it is secure. This avoids security issues which might arise before compliance. It also allows you to deliver a statement of security with your pre-assessment.
Learn More
Cyver offers schedulable, recurring pentesting for DigiD and other compliance norms, delivered through our online portal. Our findings library, direct contact with pentesters, and findings-as-tickets solutions make it easier than ever to manage and remediate vulnerabilities.
Visit our DigiD Compliance Testing page to learn more about our services. Or visit our Healthcare Pentesting page to see how we handle pentests for medical organizations.