If you’re operating a business with access to information via DigiD, your business is required to maintain DigiD compliance. That means passing an annual ENSIA audit for the DIgiD framework – which includes a pentest and an on-site audit to assess compliance with the norms.
At Cyver, we perform 25+ DigiD pentests every year to help organizations pass their DigiD audit. We do this with an audit partner, but we’re happy to work with your existing auditor if you already have one. We’ve also put together tips based on that experience to ensure you pass the audit as smoothly as possible.
Double Check Compliance
“DigiD is primarily about security configurations” says Mike Terhaar, chief pentester and co-founder at Cyver, “if you’re not a software developer, the norm is mostly about ensuring that your basic security settings are correct. Otherwise, you’ll mostly just have to ensure you have your TPMs ready. Of course, in some cases, you’ll have vulnerabilities that are out of your control – which normally means your software supplier is responsible and they will have a period in which to remediate it after the audit.”
“Of course, if you are developing software, you’ll have to prove a lot more in terms of compliance as part of the audit and you’ll have to provide TPM statements to the organizations using your software. Of course, we do that too, and we can help you to test and assess so that you can deliver those TPMs, which we already do for several software developers in the Netherlands”.
If you’re not sure what the configurations should be, it’s always a good idea to read through the DigiD norms to ensure you understand what they are. You should also check the NCSC web application security doc, to ensure your web application meets the requirements for compliance.
“Know what the norms are about and why – if you know what they are and their importance, it’s much easier to solve internal issues, server issues, etc., it’s all about knowledge. Of course, you’ll also want to make sure you stay up to date with the releases, the naming scheme can be complicated, but there are generally changes every year”.
While some organizations opt to have the DigiD pentest flag those configuration errors, you can also do the checks upfront to reduce the number of vulnerabilities found during the pentest.
“This year we actually have a new common issue, the referrer-http header. However, TLS encryption layers and CSP issues are still the most common problems. Otherwise, it’s always a great idea to check inline headers, the No CSP Policy, SSL implementation, access rights, and, of course, wildcards. These are all settings issues and they’re also some of the most common vulnerabilities we find when performing the DigiD pentest”.
Test on Time
It’s always a good idea to test on time and to fix vulnerabilities before the DigiD audit actually happens. Whether you do that by pre-testing and resolving everything 2-3 months in advance or with Cyver’s method of delivering vulnerability findings as tickets, which you can remediate before submitting the report, doesn’t matter.
“retesting has a lot of advantages”, says Mike Terhaar, “On my platform, Cyver, you can request with a click of a button. Then, one of our pentesters will retest for free – providing you make that request within 30 days of the original pentest, we’ll even do it for free. That means you can easily verify that you’ve remediated the vulnerability before we generate the report, so the vulnerability doesn’t show up on the report you submit to the auditor”.
“If you’re supplying software, we can help with that as well – we do testing for software requiring TPM statements in alignment with an audit partner. Cyver’s portal also helps a lot there, because we can easily send vulnerabilities directly to developers and teams remediating those issues, which can greatly speed up time to fix, meaning it’s more likely you can actually remediate the issue before the audit. Plus, with our free retesting, you might be able to submit a clean report, with critical vulnerabilities already remediated and re-tested.
It’s especially crucial that software companies stay compliant because you have a major impact on compliance. If your software company has a single issue, every company using that software has that issue. So, we collaborate directly with developers to ensure you have the opportunity to resolve those vulnerabilities.”
Make Sure You’ve Done Scanning
Every DigiD organization is required to do internal vulnerability scanning of all DigiD related components, from the closest point of the application. This means the scan can’t have firewalls in between.
“Cyver does vulnerability scanning as part of the audit, but this purely as part of research. If our vulnerability scan shows something, we know you’ve missed something, and we can tell you. However, you’ll have to do that yourself, as part of the audit. Make sure you have the tooling and the capabilities set up.”
Make Sure Your TPMs Are Ready
“If you’re sourcing software from a supplier, you’ll have to deliver TPMs from those suppliers as part of your DigiD audit. These statements show that your software provider is DigiD compliant and undergoes the necessary pentesting and audits.”
“It’s also important to consider TPMs when you’re choosing a software supplier. While it’s affordable to outsource and to go overseas, a software developer in another country may be less able to supply you with TPMs or to remediate vulnerabilities on time – which means you may lose access to DigiD. Even if they simply have too long of a waiting period – such as if you’re a very small client to a large company that isn’t DigiD complicit, you might have problems with DigiD”.
Plan for Next Year
“Doing your research and figuring out how to make DigiD audits and pentesting fit into your financial planning is important because you’ll be doing it every year. Cyver’s approach of pentest-as-a-service helps with that, because we can reduce costs by re-using the scope and project planning every time – you can save hours of overhead and reduce costs”.
“Almost all companies pass the DigiD audit, but they end up with notes on their statement, which means they have 3 months to fix or they have to have vulnerabilities fixed by next year. It’s not up to me to determine whether someone is compliant to the norms, I can only map things I find to the norms, and tell you if it matches the criteria or not. But the end decision is always up to the auditor”