Application security

Security and privacy guaranteed

When offering apps via web or mobile to customers and end-users, securing data and protecting privacy is a top priority. Elements builds digital platforms and mobile apps according to the latest security standards. In this way, we ensure that the platforms of our clients are always optimally protected.

Advice about Security

Highest level security

By continuously considering data security and privacy when implementing an app or digital platform, you ensure that the latest requirements are met. We call this Security and Privacy by Design. This is the part of our standard operating procedure. Because security and privacy are an integral part of your application from the outset, we make sure that this fits in as well as possible with the functionality of your platform. This way, you offer the best user experience and users have a secure app.

Data security

Depending on the application, the level of security needs to be determined. Does the app collect user data? What information will be stored? Where is the data stored and who can access it? When personal data such as BSN numbers or medical data are processed, maximum data protection is necessary. Think of requiring a PIN code or biometric verification, but also encryption: the encrypted storage and transferring of data. Software built for governments therefore always contains Multifactor Authentication (2FA).

The GDPR regulations distinguish three necessary IT security levels based on company size and data type. The levels are: basic, medium and high. Each level has its own specific rules for processing personal data.

Security and Risk qualification

To ensure that security and privacy measures are in place (Security by Design), every project always involves a security and privacy lead. This expert is also part of our internal Security Experts Team, the team that provides expertise for projects to ensure security. 

Within design, we always take into account those of OWASP for generally applicable security guidelines and principles and our own best practices to solve security challenges as best as possible.

1. Requirement to design

Before we start designing an app or platform, we do extensive research into the requirements of the digital product. We translate the results of this research into concrete design criteria. Our working method focuses on incorporating security measures in a structured way from step 1 in the process and documenting this within our projects. From the customer needs as the functional requirement, we develop a risk classification matrix.. Based on this matrix, we identify security risks, and determine the degree of security required.

2. Problem identification

By identifying potential problems, we determine where risks may lie. We do this within the physical, software and user domains. Common risks typically lie in communication between systems, transport of data between users and databases and device security. By at least always offering digital platforms over an SSL connection and sending data encrypted, we reduce the risk of leaks.

3. Attack surface

The attack surface of a digital system is determined by the number of ways an attacker can use to attack a system. It is important to keep the attack surface of a digital platform as small as possible. With our risk qualification matrix, we ensure that we limit the number of possible attack surfaces.

4. Delivery

Within Elements, we ensure that all our deliverables comply with our security by design principles. For example, we document all work and follow the OWASP guidelines for cyber security.

Elementeers in overleg aan tafel
“We’d like to keep things as simple as possible. Our processes, our company and our solutions”
- Erwin van Hasselt, Managing Partner bij Elements

Within our development process, we apply three forms of quality control:
- Automated controls
- Code reviews
- Audits

Quality control

Automated control

Within our development process, code delivered by a developer is automatically scanned for the required quality level. We do this in a so-called Continuous Integration (CI) environment using dedicated software. Among other things, this software scans for common mistakes, unnecessary complexity, potential security leaks, as well as the use of other software known to contain leaks. This software includes scanning for common mistakes, unnecessary complexity, potential security vulnerabilities, as well as the use of other software known to contain leaks.

Code reviews

When the automated check accepts the quality of the development, the code is presented to a fellow developer for review. This review checks whether the solution has been realized according to our best practices and standards and does not contain any errors.


At the end of each project, an internal security audit is carried out by the security and privacy lead before the software actually goes into production. This audit determines whether our own standards have been met from design to delivery: Is all documentation in order and are all choices documented correctly, have automated controls been implemented correctly and have reviews taken place.

3rd party penetration test

We always recommend having a pen test performed by a third party. Elements' security specialists always run checks, but an external view is important. External pentesters have a lot of experience with a variety of software and applications and are familiar with many affected security measures. This gives organizations a realistic understanding of the vulnerability of their platform. The insights from these tests help us refine security measures and fix vulnerabilities.