Award-winning document management software firm, Document Logistix creates document management solutions that help to eliminate the use of paper, improve records management and automate business processes. Its software powers the operations of some of the world’s most demanding, high document volume businesses, including major logistics companies like DHL and CEVA. These customers entrust Document Logistix with the handling of their information – much of which is highly sensitive or confidential – so security is a high priority.
Seeking a higher level of confidence in its application security testing, the company turned to WhiteHat Security to secure its DevOps environment and automate its processes. Document Logistix uses WhiteHat Sentinel Source for static application security testing (SAST) and WhiteHat Sentinel Dynamic for dynamic application security testing (DAST). The company also relies on the security experts with WhiteHat’s Threat Research Center (TRC) for added assurance in uncovering security vulnerabilities.
Since 1996, Document Logistix has supplied its uniquely affordable and scalable Document Managersoftware to a variety of SME and blue-chip clients around the globe. The company’s UK and EMEA operations are headquartered in Milton Keynes, UK, which is also the central point of product development, technical support and training. The US branch of the company is headquartered in Austin, Texas, and has major contracts with the Texas Department of Public Safety, the Virginia State Police and various agencies in other states. In 2018 Document Logistix won the prestigious Product of the Year award for Workflow and Business Process Manaagement.
“Our application is basically a portal for sharing documents. It’s not a banking application – we don’t store credit card information – but document management can be equally if not more vulnerable to people trying to gain access to things they shouldn’t see,” said Tim Cowell, founder and CTO, Document Logistix
Document Logistix’s application, Document Manager, provides a flexible platform for completely paperless business processes and highly efficient archiving. Not designed for any particular market, Document Manager is highly customizable for a large range of business processes. This could be for something as mundane as proof of delivery, where the risk of data loss is fairly minimal, or for more sensitive information like human resources records and personnel management, where the possibility exists for people looking at records they should not be viewing. This has become even more important since the EU’s General Data Protection Regulation (GDPR) went into effect, as there are financial penalties for non-compliance. Another example of document sensitivity among Document Logistix’s customers are attorneys general in the US using Document Manager for disclosure purposes, publishing prosecution case material to defense attorneys. Failure to protect such information could lead to a mistrial, potentially preventing prosecution of a felon, so stakes are high.
While protecting customers’ data has always been a priority for Document Logistix, it lacked a true solution for security testing of its application. A number of clients performed their own penetration testing, submitting a list of issues to Document Logistix, and Document Logistix would respond by providing them a new build of its application. The company also had its own people manually checking code for security vulnerabilities, but this proved to be a time intensive and costly practice, as code had to constantly be updated to keep up with new hacker techniques and new vulnerabilities.
“The biggest problem was the huge unknown. Our customers are high profile and high risk. We needed a solution that gave us a better process,” said Cowell.
Document Logistix implemented SAST using WhiteHat Sentinel Source to scan code for errors and ensure a more secure product design. Later, it added DAST using WhiteHat Sentinel Dynamic, providing them with automatic detection and assessment of code changes and alerting for newly discovered vulnerabilities, as well as reporting and intelligence metrics.
“With DAST, we have confidence in saying to our customers ‘this is what was done to make your information more secure,’ and they know that every time there’s a new build of the application, it gets a new test,” said Cowell.
In addition, WhiteHat TRC provides Document Logistix with an added layer of protection against security vulnerabilities. At the end of each day, any new code written is uploaded to the TRC, where it is checked by a WhiteHat security expert, and an automated report identifying any anomalies is then sent back to Document Logistix, so they can take any necessary actions.
The combination of SAST and DAST provides Document Logistix with a platform for testing its application and DevOps environment, and automating the processes required to comply with the complex rules of paper and electronic document management. This includes full auditability of its application, the ability to plan workflows, perform complex retention policy management, and define policies for certain classes of documents, including what documents should or should not be disclosed, and to whom.
The WhiteHat Application Security Platform has given Document Logistix full confidence in the security of its products and its ability to protect its customers’ information.
“Working with WhiteHat gives us added credibility with customers because we’ve raised the question of security first. It becomes a non-issue, because they understand we’re serious about our duty to protect their data,” said Cowell.
Document Logistix also points to the cost effectiveness and ease of implementing the WhiteHat Application Security Platform.
“We do three to four releases a year, and testing is very expensive, so performing testing on each release isn’t reasonable. This is a very cost-effective solution, because the testing process is ongoing. This path has had the least amount of impact on productivity,” said Cowell.
GDPR. How document managment helps with GDPR compliance. Document Logistix
Will there be an ICO whistleblower? Who has rights to data deletion?