Penetration testing

White box - Black box

Penetration testing is where Simployer (or 3rd party professionals working on behalf of Simployer) tries to break into our own systems. The tests is performed to identify weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data.

Penetration testing is mainly done in two ways:

  • White box testing - this is where a potential intruder (tester) has prior knowledge and background information about the system.
  • Black box testing - this is where a potential intruder (tester) has limited (if any) information about the system.

Simployer performs both white box and black box testing regularly, and we use professional tools to help automate the process.


The best way to avoid that attackers can compromise a system is to mitigate the potential threats before they are exposed.


Simployer has implemented Snyk to automate discovery and fixing of vulnerabilities in our source code and external libraries used by Simployer. With Snyk we reduce the potential for introducing vulnerabilities into production.

Invicti (former Netsparker)

We do real life penetration test using Invicti. With Invicti we can find potential breaches in our production environments and mitigate them before they become critical.


Our professional hosting partners maintain firewalls that protects the Simployer suite of malicious attacks.

Antivirus and malware protection

All servers used to host Simployer are protected by updated antivirus and anti malware by our professional hosting partners.

Load balancer and private endpoints

Endpoints for internal services and data storage are physically divided by virtual network mappings so that internal endpoints are never exposed public. Only endpoints for load balancer and API gateway have public endpoints. SSL offloading is done at the loadbalancer level.

API Gateway

Simployer API's are behind an API gateway that only exposes public endpoints. The gateway handles authentication, security, rate limiting, throttling, transformations, analytics and monitoring.


All servers and services that are used to host Simployer are hardened after best practices provided by the manufatorers.

Secure channels and authentication

Simployer does application management over secure and encrypted channels that requires multi factor authentication. All traffic between Simployer and customers are encrypted using TLS V.1.2 or newer.


We train our technical personnel regularly.


We are open with any potential threats and issues that might hit the Simployer suite, and we keep our customers up to date on