The extensive security audit, performed in early 2022, involved giving Cure53 access to all source code, protocol documentation, and development teams. More details in the press release, here.
Independent security audits, also known as white-box penetration tests, provide a comprehensive assessment of both the internal and external system landscape, looking for issues that may compromise security. They involve access to the source code for a full code audit, access to documentation such as API and internal docs, and a communication line to the developers/stakeholders for questions and feedback.
Aside from being a much more in-depth and thorough review than a traditional penetration test, white-box testing also allows you to prepare for scenarios such as insider threats or when an attacker has obtained detailed internal information.
Who are Cure53?
A German security firm with a strong and respected presence in the industry, Cure53 is known for reviewing similar technologies to ours. Their motto is “fine penetration tests for fine websites,” and some of the names they’ve worked with include Mozilla VPN, Opera VPN, and 1Password. You can take a look at some of their previous work here and the RealVNC summary report here.
Why?
We believe that security is a critical aspect of modern technology services. Customers should be asking for this level of transparency from any prospective supplier, particularly given that Remote Access software is powerful and any vulnerability can be disastrous.
“At RealVNC, we operate from the standpoint that no company should ever take a vendor’s word for it when they claim their software is secure, which is why we chose to complete a white-box audit with a highly regarded security consultancy to prove it”, said our Chief Information Officer, Andrew Woodhouse.
What?
Cure53 has provided us with a detailed security audit report. During the engagement, any issues found were triaged by RealVNC, and any deemed needing immediate attention were taken into our development lifecycle and, patches addressed accordingly.
Of the 38 issues across the entire codebase – with none being assessed as critical – a remarkably low number according to Cure53 – 32 were fixed and confirmed by Cure53 and 6 were either flagged as false alerts or works-as-intended.
What’s next?
RealVNC will continue to work on providing our customers with the most secure remote access solution on the market.
You can find out more about all of this, as well as everything security-related at RealVNC, at our booth at Infosecurity Europe 2022.
The event will take place from June 21st to 23rd, and we will be exhibiting at stand F80. Andrew Woodhouse and our Head of Cyber Security, Ben May, will both be there to answer your questions.
You can read the Cure53 summary report here.