The unique security needs of visual collaboration hub, Oroson
Oroson is an online tool with the mission to improve how people work. Oroson boards give people one central place to visualise their content, tools and communication altogether.
The company is now five years old, at an exciting period, as it scales up quickly.
In part, that’s because collaboration is having a moment – with the popularity of tools such as Slack, and the increasing investment in making working practices more flexible.
“The difference with Oroson is that it’s all visual,” says CTO Richard Davidson.
With many popular tools being message-focused, there’s a place for a tool that incorporates the popular tile-based, more visually-intended digital workspace.
It was borne out of a frustration that CEO Daniel McGlade experienced during his law degree, with keeping his reading and work together in one place. Daniel founded the company and grew it organically for the first few years. Oroson has pivoted into the business space over the past 18 months.
Richard says, “Oroson is content first – so, here’s this piece of content that relates to your project – it’s all easy to find, with tile-based scrolling. We keep the content and collaboration together, and make it visual, so people can consume it very quickly. Comments are aligned with content down the side, so you can view it at the same time.”
Oroson is targeting companies both large and small, in many sectors – the Irish FA is a customer, as is the local favourite Mexican restaurant, Boojum. Reach PLC (previously Trinity Mirror), also uses the collaboration tool with an internal team of 50, plus external clients.
In the back-end, Oroson’s cloud servers are storing sensitive, confidential information, so the security of the application is paramount.
The majority of Oroson was built from the ground up in Amazon Web Services (AWS), while some of the Big Data and analytical parts of the platform run in Google Cloud Platform (GCP). The front- and back-ends incorporate a wide range of technologies.
“Furthermore, there are Android and iOS apps, plus a desktop app,” Richard explains, “and obviously we need to keep all of this secure.”
“After coming on board as the company’s CTO, I knew security needed to be a top priority if we planned to store other people’s data.”
“With our development team bringing experience from the likes of Aepona who delivered platforms to large telecoms operators, I knew it had been built soundly – telcos are very strict about auditing, system hardening and compliance. But we needed an external review to validate what we had done,” says Richard. “Vertical Structure had exactly what we needed.”
He appointed the team from Vertical Structure – led by co-founder Simon Whittaker – to undertake external vetting and auditing, security & penetration testing, and to get the company started down the certification path.
“We needed Cyber Essentials,” Richard says, “and we needed to ensure we had all the content around that.”
Oroson’s development team waited until a large development cycle was finished to start the security testing.
“They did the security and penetration test – consisting of scanning all the cloud environments to identify vulnerabilities. They also did a scan of the code for the desktop and mobile apps. In the process, they created a wealth of documentation around threat detection, asset management, the joiner-leaver process, etc. They also kick-started a security white paper for us, and this is now shared directly on our website for the benefit of our customers.”
The security and penetration tests were completed using unauthenticated, anonymous and authenticated user personas to perform use and abuse cases. It included investigating all communications between the various applications and API endpoints, to tease out any weaknesses that may exist.
In addition, Vertical Structure submitted and obtained Cyber Essentials certification for Oroson.
“It’s a huge weight off our shoulders to have that external validation,” says Richard. “Our customers are placing a lot of trust in us, to store their data. Making the platform ‘security-first’ is crucial.”
The scans unearthed a small number of low-risk, non-critical issues that Oroson were able to fix rather quickly. It also gave the company a formality around its security processes.
“Simon from Vertical Structure said he’d found an unusually high level of security – and was genuinely impressed with the product – so that was great validation, coming from a company who reviews security for many different types of technologies,” Richard says. “It was huge for the morale of our development team, to know that what they were building was secure and of a high quality. It was also essential to demonstrate to our board and investors.”
Oroson had several unique security challenges:
- When a small company of 10 enters a space against a giant such as Google, the question of trust is always central to adoption
- Multi-platform - web, desktop, mobile apps – all needing to stay exactly in sync
- Synchronisation with external services, Dropbox, Google Drive, etc., where customers are storing their most sensitive documents
- Tenancy of users - sharing of documents and information across
- Live chat - Oroson has a solution in place to handle live chat while sharing all the important documents
Simon Whittaker of Vertical Structure comments, “There was no scope to get things wrong. Oroson takes input from many sources, across different users in different companies, and pulls content from many places. Plus you add in the live chat - which is notoriously hard to do securely. All of these touchpoints could open up vulnerabilities, if the product wasn’t developed robustly. Luckily in this case, there were only a small amount of things to fix and some groundwork to be laid for security certification.”
Is there anything that Oroson would have done differently, with the benefit of hindsight?
“Knowing now, how efficient Simon and his team made the process, we probably should have engaged them earlier,” Richard says. “We initially thought more input would be required from us in the security testing process, but they got the work done within short timeframes, and caused little distraction from our day to day activities.”
Or send us a quick message