More and more companies, self-employed and private customers are using Boxcryptor to protect sensitive data – primarily in the cloud. Boxcryptor ensures that nobody but authorized persons have access to the data. Cloud providers and their staff, as well as potential hackers are reliably excluded. The audit verified whether this protection is guaranteed.
During the audit, Kudelski was given access to the source code of Boxcryptor for Windows and to the internal documentation.
“All these components were logically correct and did not show any significant weakness under scrutiny. It is important to note that the codebase we audited was not showing any signs of malicious intent.”
The goal of the audit
The goal of the audit was to give all interested parties an indirect insight into the software so that they can be sure that no backdoors or security holes are found in the code.
Robert Freudenreich, CTO of Boxcryptor, about the benefits of an audit: “For private users, Boxcryptor is a means of digital self-defense against curious third parties, for companies and organizations a way to achieve true GDPR compliance and complete control over business data. With software that is so security relevant, it is understandable that users want to be sure that the software is flawless.”
The audit process started at the beginning of May with short communication lines to the developers and managers in the Boxcryptor team. If Kudelski had found a serious security vulnerability, they would not have held it back until the final report, but would have reported the problem immediately.
A problem rated as “medium”
The problem rated as medium is a part of the code that affects the connection to cloud providers using the WebDAV protocol. Theoretically, the operators of such cloud storage providers could have tried to inject code into Boxcryptor for Windows.
In practice, however, this code was never used by Boxcryptor, so there was no danger for Boxcryptor users at any time. In response to the audit, this redundant part of the code was removed.
Two problems classified as “low” and further observations
One problem classified as low concerns the user password: to protect users with insecure passwords, it was suggested that passwords be hashed even more frequently and that the minimum password length be increased, which we implemented immediately.
The second problem classified as low was theoretical and concerned the reading of the Boxcryptor configuration.
Kudelski Security, the cybersecurity division within the Kudelski Group, announced the launch of its dedicated Microsoft Security services, enabling clients to effectively consume and configure Microsoft security capabilities and add additional monitoring to their Microsoft 365 and Azure environments.
This represents the latest expansion of a rapidly growing, cloud-first cybersecurity portfolio that supports digital transformation initiatives of global enterprises using private and public cloud services.
In addition to providing a dedicated Microsoft focus, Kudelski Security offers clients a combination of proprietary, native cloud security monitoring capabilities as well as teams of experienced engineers to help deploy, operate, and maintain comprehensive cybersecurity programs.
The caliber of Microsoft 365 security capabilities is increasing, allowing organizations to monitor and manage security across their Microsoft identities, data, devices, apps, and infrastructure.
As part of their new services, Kudelski Security will help Microsoft clients simplify their security and compliance strategy by effectively leveraging their existing investments in Microsoft 365 and Azure.
Kudelski Security’s Microsoft Security services leverage native security features from Microsoft 365 and Azure, such as Azure Active Directory and Azure Information Protection.
They combine these features with expert guidance, proprietary solutions, and continuous threat monitoring to deliver end-to end security capabilities at any stage of the client journey.
“For thousands of enterprises around the world, Microsoft 365 is the guardian of business-critical data,” said Andrew Howard, CEO, Kudelski Security. “This makes Microsoft 365 an attractive target for attackers. It’s essential for security teams to understand Microsoft 365 security capabilities and ensure they are properly implemented.”
Ann Johnson, CVP Cybersecurity Solutions Group, Microsoft Corp. said, “Our clients are increasingly looking for firms that can help them leverage their existing Microsoft security investments more effectively. The capabilities of Kudelski Security aid in monitoring data in Microsoft environments, and are complemented by broader services to secure the modern workplace.”
Kudelski Security’s core Microsoft Security Solutions services include the following:
- Security Posture Assessments provide visibility on maturity levels, identify gaps, and deliver a prioritized security control roadmap to significantly improve an organization’s security posture.
- Azure Active Directory Identity Access Management services safeguard organizations from unauthorized access and identity-related threats while maintaining an integrated, straightforward user experience.
- Azure Information Protection services safeguard client data automatically while enabling user productivity and secure collaboration across devices and locations.
- Cloud Security Monitoring services enable threat monitoring and hunting for Microsoft 365 and Azure environments without the need for additional technology purchases.
Driving the practice forward is Chris Goosen, who joins Kudelski Security with 20 years of experience helping clients securely and effectively deploy Microsoft solutions at scale. Chris is a Microsoft Most Valuable Professional (MVP) and a Microsoft Certified Solutions Expert (MCSE).
Goosen and his team will leverage their expertise to help protect the modern digital workspace and ensure clients understand, optimally configure and leverage the capabilities offered by their existing and future Microsoft ecosystem investments.