1. Home /
  2. Security

Security

Our software only uses standard Excel libraries and resources, which saves security checks of software libraries.

Simply download the program you want from this  website, where the name of the program is written, such as  easyESEF.xlsb, which is a binary Excel, ready to run. Sometimes firewalls do not allow you to download a binary Excel: try then to download the easyESEF.zip version, which is exactly the same program, but compressed to elude firewalls: Unzip and run. If you still have problems, write us to info@easyesef.eu and we will send you the program via wetransfer.com.

Open the program (Excel workbook) onto a Windows computer, also Windows over Apple Mac. When running the program for the first time, Windows will usually ask for security permission to run Excel macros, with a message like «all the macros may be disabled»: In Windows, open the file explorer «File Explorer», select the file, open its properties, right-click on «Show more options», select «Properties» and click on «Unblock» at the bottom. That is all. It does not require auxiliary files, code libraries or any kind of installation, in order to minimize residual security risks on the computer where it runs. VBA source code is obfuscated against reverse reengineering, but is reviewable in clear under Confidentiality Agreement.

The only executable code allowed to run in the computers of the financial sector basically without prior security inspection are Excel VBA programs. This exception is the reason why our developments are usually delivered as Excel workbooks: their installation does not require the security inspection of the software distribution libraries, as a standard antivirus is sufficient. This great deployment advantage far outweighs the possible cons of using VBA instead of Python or Java.Our programs can optionally use third-party software, such as Python (Arelle) for XBRL validation, or Java for CESOP validation, or DLLs for PDF to XML conversion. But these are all optional features, such as the validation step after our program exports the file, and can quietly wait to pass security compliance. Sometimes we also develop in Java (at the request of users), such as our open source CENIX converter for Sustainability Reporting.

Stand-alone operation, isolated from the Internet or any other connection. Highest data protection.

Our programs work without any connection. By their very essence, there can be no information leakage. The optional third-party programs used (such as validators) also run in standalone mode. For total security, you can run our programs on a Windows computer completely isolated from your corporate network, possibly using a USB stick to import/export files. In the (recommended) network segmentation option, the usual functions are shared directory (or equivalent file transfer), web browsing for queries and e-mail.

Yes, an Internet connection is sometimes required, but never for operation. The programs have links to Help page can be printed or downloaded in advance. The programs must be downloaded initially. Optional software may require additional files at installation, such as XML schemas. But none of that is necessary when working with sensitive data in production.

Perhaps the only exception where it is necessary to share production data with easyESEF Ltd. is for error diagnosis. All software programs have bugs, by definition. And some bugs can only be diagnosed when production data at the time of the bug is provided. A confidentiality agreement is to be be signed covering these specific cases. The exchange of data always takes place under the control of the user, as the responsible party and owner of the data.

Software scanned by virustotal.com (a subsidiary of Google).

The absence of virus in each Excel is checked in this list of virustotal.com, where the SHA-256 hash code of the file, its download URL and its analysis by a battery of about 90 different antiviruses, practically all of the market. The Excel .xlsb file and its corresponding compressed .zip file are different files and are treated separately. You can click on any URL to analyse it again: in a few seconds the result is displayed. Note that there are false positives, which are triggered by any type of Excel macro, from BitDefender and G-Data for .xlsb and from TrendMicro for .zip.

After downloading each easyESEF program, it is recommended that you re-check the SHA-256 hash code (unique to each file: it is impossible to create another file that produces the same SHA-256), as well as the absence of viruses by uploading the file back to virustotal.com. This is the ultimate guarantee of authenticity and integrity, thus eliminating the risk of malware injection during download, on the web, or at any other point. You can also upload the easyESEF program file to virustotal.com afterwards to check it again for viruses. As the file will have changed during use, the SHA-256 hash code will already be different, and is therefore ignored. We recommend sending any URL or file to virustotal.com for preventive analysis before use in the client environment. The analysis is free, fast, easy, complete and anonymous.

Fuzzy development approach to minimise Security Perimeter

The state-or-the-art approach in Security would be broadly defined as a Security Perimeter defended with firewalls, VPN, Demilitarised Zones, Identity and Access Management and a long list of measures, controlled by a SIEM or a SOC, with their corresponding certifications such as ISO 27001, Cyber Essentials, PCI DSS or SOC2, basically to prevent Data Loss and Advanced Persistent Threats (APTs).

easyESEF Ltd.’s approach is just the opposite: minimising our security perimeter and relying on vendors such as Microsoft or Google. We basically do NOT process customer data, we have no company servers to protect, we totally distribute our tasks. Therefore, we have to protect very few critical resources: our account at our hosting providers (website and shared directories) and our individual email accounts. Microsoft, Google or our hosting providers have all the necessary certifications, because data hosting is their business, but not ours.

We have no security certifications because we have nothing to certify. Nothing is our own corporate resource. We are digital nomads, with no heavy baggage to carry with us.

Disaster Recovery and Business Continuity

Our only genuine valuable assets are source code and documentation. In addition to automatic backups and other standard measures, our ultimate protection is physical USB sticks, manually checked with a text editor and stored in different locations. The problem with automatic backups is that an APT can encrypt files for months and then launch a ransomware attack.

Manually checking the source code is simple, fast and very effective if your business is software development. Once the source code is in the hands of the programmer, recreating the programs for distribution after a disaster is an easy task.

In reality, the main risk is the continuity of the experts. But this is another story.