fbpx

Software Development Newsletter: Q3 2023

Director Message

kafka

Welcome to this new Mitrais Newsletter. The world can be complicated in 2023, and there are always tests to be met and passed. We are always excited to see how our staff and clients continuously adapt to these tests and succeed. In this issue we look at three differing examples of how talented people and organisations identify obstacles, and overcome them through planning, application and innovation.

One of the challenges these days is that many people now need to navigate life managing specific dietary requirements. Whether those requirements are as a result of specific medical needs, religious adherence or lifestyle choices, everyone deserves to be able to make appropriate choices. This month’s Featured Client is FoodMe. Starting in 2012, FoodMe’s mission statement is to allow customers to connect with vendors and dining establishments in their areas who offer exactly what they are looking for with the minimum of fuss, and they are doing just that right now. Read about their journey in this issue.

This issue’s Feature Employee is Olivia, one of Mitrais’ talented Analysts. Balancing her steady progress in the dynamic software development industry with the demands of being a mother and having a life isn’t always a simple juggling act, but Olivia is living proof that it can not only be done, but done very well. We’re sure you’ll find her story inspirational and uplifting.

Barely a day goes by now when there isn’t an alarming news item about a security incident on the Web, so it’s more important than ever that security of Web Applications be “baked in” to new projects and treated seriously. Fortunately, Mitrais is a leader in the design and testing of such applications, and has world-recognised credentials in this area. In this issue’s White Paper, you can learn about how Web solutions crafted by Mitrais with our clients are constantly assessed and strengthened through targeted Penetration Testing and how this can protect you and your clients. It’s an important topic, and we are sure you will find it interesting.

Enjoy this newsletter, and as always, we wish you all continued health and prosperity for now and the future.

 

Partnering for Success: FoodMe's Path to Reliable Solutions

The Background

FoodMe kicked off in 2021 with the idea of enabling people with specific dietary requirements to more easily connect with vendors providing suitable offerings. With more and more people these days identifying specific dietary preferences, whether for medical reasons (coeliacs, allergy sufferers, particular intolerances etc), religious mandates (Halal, pork-free etc) or lifestyle choices (vegetarian, vegan, paleo and so on), it was clear that a latent demand existed that was, as yet, unsatisfied. This was the spur for Michael Cerbara, CEO and co-founder of FoodMe, and his colleagues to address this demand.

The Challenge

While customers seeking a local dining experience are well serviced by traditional search engines and advertising, those looking to narrow the range to cafes and restaurants that offer options to those with specific requirements found little assistance. Most venues have vegetarian options these days, and some have gluten-free offerings, but few can promote their range directly to this market. At FoodMe, Michael and his team have taken on the challenge from both ends.

By encouraging venues that actively cater to those with special dietary requirements to promote this as a differentiator to consumers to whom this is an important consideration, there is an obvious marketing win. A venue that, for instance, hosts a regular Vegetarian Night has a great opportunity to promote it to an engaged audience.

Equally, for diners looking to identify a venue that offers a more interesting menu to friends and family with particular needs than the standard fare, FoodMe offers a quick and simple way of searching for and finding local cafes and restaurants that cater to everyone in their dining party, regardless.

The Solution

To achieve this connection between diners and venues, FoodMe needed a simple way for customers to identify their dietary preferences, their locale, and quickly display details of those offering appropriate fare. Michael and his team settled on an optimised web application that allowed customers to register and retain their dietary preferences and perform geographical searches for suitable vendors.

Recently the FoodMe site has expanded beyond just finding suitable bars, restaurants and cafes to include a marketplace where FoodMe members can also find delicious homemade food that meet their requirements and can be delivered directly to their homes.

Having had significant experience with partnering with off-shore and near-shore software development providers, Michael had some very specific attributes that he was looking for. As well as demonstrated expertise in developing quality solutions using the chosen technology stack (in this case ReactJS and AWS for the front end, and Typescript for the back end), Michael wanted to have confidence in his partner. “As well as technical skills, I was focussed on finding a partner who could offer our company piece of mind through having quality operating procedures” Michael said. “We see Mitrais’ commitment to proper staff vetting, training and development for our team members as providing an “insurance policy” for FoodMe. It allows us to move forward knowing that there are guarantees around how our projects are delivered for us and our clients – and it’s working for us”.

Web Application Penetration Testing: Uncovering Vulnerabilities and Strengthening Security

Abstract

This white paper explores the art of penetration testing as a strategic approach to identify vulnerabilities and enhance defence mechanisms. It delves into advanced techniques for vulnerability identification, such as manual code review, business logic flaw detection, and exploiting misconfigurations. The paper also sheds light on exploitation and post-exploitation tactics, emphasizing privilege escalation, injection attacks, and session hijacking. Furthermore, it underscores the pivotal role of clear and comprehensive reporting, risk assessment, and prioritization to translate technical findings into actionable insights, empowering organizations to fortify their security measures and navigate the dynamic landscape of cybersecurity with confidence.

1. Introduction

In an interconnected world driven by technology, web applications still play important roles in the sharing of information, communication, and conducting business. From e-commerce platforms to social networking sites, these dynamic and user-friendly interfaces have become an integral part of our daily lives. However, the very features that make web applications accessible and engaging also present potential vulnerabilities that can be exploited by malicious actors. As the digital landscape continues to expand, the imperative to ensure the security and integrity of these applications has never been more crucial.

Web applications penetration testing, often regarded as a cyber guardian’s craft, plays a pivotal role in identifying, assessing, and mitigating these vulnerabilities. This proactive and methodical approach simulates real-world attacks on web applications, allowing organizations to reveal weaknesses before they are exploited by attackers. As technology advances and cyber threats become more sophisticated, the potential impact of a web application breach can be devastating. Confidential user data, proprietary business information, and even critical infrastructure can be compromised, leading to financial losses, and irreparable damage to an organization’s reputation.

Web application penetration testing is not simply about uncovering security flaws; it is a strategic and systematic approach aimed at achieving several key objectives. Beyond vulnerability identification, its goals encompass understanding an application’s attack surface, evaluating its defensive mechanisms, and assessing the overall resilience of the application under various threat scenarios. By achieving these objectives, organizations can confidently support their security posture and maintain a proactive stance against potential breaches.

2. Web Application Architecture and Attack Surface

The Anatomy of Web Application Architecture

Web application architecture comprises a multifaceted ecosystem of interconnected components, each serving a different purpose in facilitating user interactions and data processing. Key elements include front-end interfaces, application servers, databases, APIs (Application Programming Interfaces), and external integrations. Understanding the role of each component is important in comprehending the potential vulnerabilities that may arise.

  1. Front-End Interfaces
    The user’s interaction with a web application begins at the front-end interface, where content is presented, and user actions are initiated. Modern front-end technologies, such as JavaScript frameworks and responsive design, enhance user experiences. However, the reliance on client-side scripting introduces the risk of Cross-Site Scripting (XSS) attacks, where malicious scripts are injected into web pages to compromise user data or initiate unauthorized actions.
  2. Application Servers
    Behind the scenes, application servers process user requests, manage business logic, and generate dynamic content. Flaws in server-side scripting can lead to vulnerabilities like Remote Code Execution (RCE) and SQL Injection, enabling attackers to execute arbitrary code or manipulate database queries to gain unauthorized access.
  3. Databases
    Storing and retrieving data is a core function of web applications. Inadequate security configurations, weak authentication mechanisms, or improper input validation can expose databases to attacks like SQL Injection and Data Leakage, granting unauthorized access to sensitive information.
  4. APIs
    APIs facilitate communication and data exchange between different components, both within and outside the application. Insufficient authentication and authorization mechanisms in APIs can lead to unauthorized data exposure, while broken access controls might enable attackers to manipulate or access restricted resources
  5. External Integrations
    Web applications often rely on third-party services and libraries to enhance functionality. However, these integrations can introduce vulnerabilities if not thoroughly checked. Unpatched or insecure dependencies may create openings for attacks such as Supply Chain Attacks, where attackers compromise the application through its trusted external components.

Expanding the Attack Surface

The interconnectedness of web application components not only enables seamless functionality but also expands the potential attack surface. As the attack surface grows, the avenues through which attackers can exploit vulnerabilities become more diverse and complex.

  1. Attack Vector Diversification
    Each component, from front-end scripts to external integrations, offers a potential entry point for attackers. Vulnerabilities in one area can be leveraged to exploit weaknesses in another, creating a domino effect of compromise.
  2. Intercomponent Communication Vulnerabilities
    Flaws in communication between components, such as insecure data transmission or improper data sanitization, can enable attackers to intercept or manipulate sensitive information.
  3. Third-Party Dependencies
    While external integrations enhance functionality, they also introduce a degree of dependency and risk. Insecure or unpatched third-party libraries can be exploited to gain unauthorized access or execute arbitrary code within the application.
  4. User-Generated Content
    Interactive elements, such as user-generated content or input fields, offer potential avenues for attacks like Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF), where malicious actions are initiated through the unsuspecting user’s browser.

3. Methodologies and Approaches

In the ever-evolving landscape of cybersecurity, the significance of conducting thorough and systematic web application penetration testing cannot be overstated. To effectively uncover vulnerabilities, assess risks, and fortify digital assets, security professionals employ established methodologies that provide a structured approach to the testing process. This section will delve into 2 prominent methodologies: The Open Web Application Security Project (OWASP) Testing Guide and the Penetration Testing Execution Standard (PTES). Then we will explain about the Systematic sequence of activities that define a comprehensive web application penetration test.

a. Open Web Application Security Project (OWASP) Testing Guide

The Open Web Application Security Project (OWASP) Testing Guide is a comprehensive resource that provides guidance and best practices for conducting web application security testing. Developed by a community of security professionals and experts, the OWASP Testing Guide aims to help organizations identify and mitigate vulnerabilities in their web applications. It offers a structured approach to testing that covers various aspects of security, from initial planning to reporting.

Key Features and Components of the OWASP Testing Guide:

  1. Introduction and Objectives: It begins with an introduction that outlines its purpose and objectives. It emphasizes the importance of web application security testing in today’s threat landscape.
  2. Testing Phases and Domains: The guide is organized into various testing phases, each focusing on a specific aspect of web application security. These phases provide a structured approach to conducting assessments and ensure that all critical areas are covered. Some of the key testing domains include Information Gathering, Configuration and Deployment Management Testing, Authentication Testing, Authorization Testing, Session Management Testing, Input Validation Testing, Error Handling and Logging Testing, Cryptography Testing, Business Logic Testing, Client-Side Testing, API Testing, and Mobile Testing.
  3. Testing Techniques: For each listed domain, the guide provides detailed explanations of testing techniques, methodologies, and tools that can be employed. It offers practical guidance on how to identify and exploit vulnerabilities in each area.
  4. Checklists and Examples: The OWASP Testing Guide includes checklists and examples that testers can follow during assessments. These resources help testers ensure that they cover all relevant aspects and identify potential issues.
  5. Reporting: The guide emphasizes the importance of clear and actionable reporting. It provides guidance on how to document findings, vulnerabilities, and recommendations in a way that is understandable for both technical and non-technical stakeholders.

b. Penetration Testing Execution Standard (PTES)

The Penetration Testing Execution Standard (PTES) is a comprehensive framework that provides guidelines and best practices for conducting penetration tests in a systematic and organized manner. It was developed to ensure that penetration testing efforts are consistent, thorough, and effective across different environments and industries. PTES emphasizes not only the technical aspects of penetration testing but also the processes, methodologies, and documentation required for a successful assessment.

PTES is organized into several domains, each representing a distinct phase or aspect of the penetration testing process. These domains ensure that all relevant aspects of security assessment are covered, from initial planning to post-assessment activities. There are 7 main domains of PTES:

  1. Pre-Engagement Interaction
  2. Intelligence Gathering
  3. Threat Modelling
  4. Vulnerability Analysis
  5. Exploitation
  6. Post Exploitation
  7. Reporting

c. Systematic Approach to Web Application Penetration Testing

A successful web application penetration test follows a systematic sequence of activities, allowing testers to methodically uncover vulnerabilities and assess their impact. This approach enhances the reliability and reproducibility of the results while minimizing the risk of oversight. The key phases of a systematic web application penetration test include:

  1. Reconnaissance: Gathering information about the target application, including its architecture, technologies, and potential entry points for exploitation.
  2. Vulnerability Scanning: Employing automated tools to identify known vulnerabilities, misconfigurations, and weaknesses in the application’s code and infrastructure.
  3. Manual Testing: Conducting in-depth manual testing to identify vulnerabilities that automated tools might overlook. This includes analysing input validation, authentication mechanisms, authorization controls, and other critical components.
  4. Exploitation: Attempting to exploit identified vulnerabilities to determine their impact and assess the extent of potential damage.
  5. Post-Exploitation Analysis: Analysing the consequences of successful exploitation, including data access, privilege escalation, and potential pivot points within the network.
  6. Reporting: Documenting findings, vulnerabilities, and potential risks in a comprehensive report that provides clear recommendations for remediation.

4. Advanced Vulnerability Identification

Relentless evolution of cyber threats demands a proactive and sophisticated approach to vulnerability identification. While basic scanning tools play a crucial role in initial assessments, they often fall short when it comes to uncovering complex vulnerabilities deeply embedded within the application’s framework. This section delves into advanced techniques that transcend the limitations of automated tools, shedding light on manual code review, identifying elusive business logic flaws, exploiting misconfigurations, unmasking insecure access controls, and scrutinizing the complexities of session management mechanisms.

a. Manual Code Review: Unveiling the Code’s Secrets

While automated scanners can efficiently identify common vulnerabilities, the complexities of custom-coded applications often elude their scrutiny. Manual code review, conducted by experienced security experts, involves a meticulous examination of the application’s source code. This process allows for the identification of vulnerabilities that may not be apparent through automated means, such as logic flaws, hard-coded credentials, and potential backdoors. By understanding the code’s underlying architecture and intricacies, manual code review serves as a powerful technique for unearthing vulnerabilities unique to each application.

b. Identifying Business Logic Flaws: Unmasking the Unintended Consequences

Beyond technical vulnerabilities, business logic flaws represent a realm where automated tools falter. These vulnerabilities arise from misconfigurations or gaps in an application’s underlying logic, potentially leading to unauthorized actions or data exposure. Advanced penetration testers engage in comprehensive scenario-based testing, meticulously examining the application’s workflows, transaction flows, and interactions to identify deviations from intended behaviour. By emulating real-world user interactions, testers uncover subtle vulnerabilities that could undermine the application’s integrity and security.

c. Exploiting Misconfigurations: Turning Oversight into Opportunity

Misconfigurations, often lurking in plain sight, can offer a gateway to a web application’s vulnerabilities. Penetration testers adept in advanced techniques exploit these misconfigurations to reveal potential avenues of attack. These may include exposed sensitive files, improper permissions, or weak default settings. By capitalizing on misconfigurations, testers showcase how seemingly innocuous oversights can culminate in critical security breaches.

d. Identifying Insecure Access Controls: Peering Beyond the Perimeter

Web applications often rely on access controls to safeguard sensitive data and functionality. Yet, inadequately enforced or improperly configured access controls can render these defences ineffective. Advanced penetration testers gather these controls, meticulously probing for discrepancies between intended access levels and actual permissions granted. By skilfully navigating the application’s user roles, testers unveil vulnerabilities that might grant unauthorized access or escalate privileges, highlighting the gravity of robust access control mechanisms.

e. Analysing Session Management Mechanisms: Peering Into the User’s Digital Identity

Session management mechanisms govern user interactions within web applications, influencing authentication, authorization, and data protection. Advanced testers focus on researching these mechanisms, searching for vulnerabilities like session fixation, session hijacking, and token manipulation. By simulating attacks that target user sessions, testers expose the potential for unauthorized access or account takeover, underscoring the necessity of fortified session management.

5. Exploitation and Post-Exploitation Techniques

The discovery of vulnerabilities is just the beginning. Equally crucial is the exploration of the potential impact these vulnerabilities may have when exploited by malicious actors. This section delves into the art of exploitation, where advanced techniques are employed to leverage identified vulnerabilities, along with the consequential post-exploitation activities that unfold once an initial foothold is established.

a. Privilege Escalation: Ascending the Hierarchy

Privilege escalation is the art of leveraging vulnerabilities to elevate unauthorized access to higher privilege levels within an application or system. This technique showcases the potential fallout of unaddressed access control vulnerabilities. By exploiting weak authentication mechanisms, flawed authorization protocols, or misconfigurations, attackers can infiltrate deeper into an application’s infrastructure. Privilege escalation demonstrates the dire consequences of overlooking these critical security measures, emphasizing the importance of stringent access controls and robust user authentication.

b. Injection Attacks: Penetrating the Digital Veil

Injection attacks, such as SQL Injection or Command Injection, expose the weakness of insecure input handling. By maliciously injecting code or commands, attackers exploit vulnerabilities to manipulate database, execute unauthorized operations, and potentially take control of the entire application. Demonstrating the impact of injection vulnerabilities underscores the significance of thorough input validation, parameterized queries, and secure coding practices to prevent these insidious attacks.

c. Cross-Site Scripting (XSS): Breaching the User’s Trust

XSS is a tactic where attackers compromise user’s browsers to steal information or create attacks. Through carefully crafted scripts injected into web pages, attackers gain control over user sessions and sensitive data. By simulating XSS attacks, testers unveil the risk of session hijacking and data exposure, urging developers to implement robust input validation, output encoding, and secure coding practices to safeguard user interactions.

d. Cross-Site Request Forgery (CSRF): Manipulating Trust

CSRF exploits users’ inherent trust in the websites they visit, tricking them into executing unauthorized actions. By sending manipulated requests from a legitimate user’s browser, attackers can perform actions on behalf of the user without their consent. Testing for CSRF vulnerabilities underscores the need for robust anti-CSRF tokens and user awareness to counteract this deceitful manipulation.

e. Session Hijacking: Seizing Digital Identity

Session Hijacking techniques reveal vulnerabilities within session management mechanisms, allowing attackers to take control of authenticated user sessions. Attackers can exploit weak session tokens, session fixation, or session prediction to gain unauthorized access to an application. Demonstrating session hijacking highlights the critical importance of securing session management through techniques such as token-based authentication, secure session storage, and frequent session rotation.

 

Post-Exploitation Activities: Expanding Influence and Impact

Once initial exploitation occurs, adversaries embark on post-exploitation activities to maintain control and escalate their impact:

  1. Lateral Movement: Attackers pivot within the network, moving laterally from one compromised system to another, often leveraging stolen credentials and vulnerabilities to escalate privileges and expand their presence.
  2. Data Exfiltration: Attackers seek to extract sensitive data from compromised systems, employing various techniques to stealthily transmit information, highlighting the need for robust data loss prevention mechanisms.
  3. Persistence: Attackers establish mechanisms to maintain access even after initial compromise, ensuring their foothold endures through the use of backdoors, rootkits, or hidden persistence mechanisms.

6. Reporting and Risk Assessment

Within the domain of web application penetration testing, the Reporting and Risk Assessment phase serves as the bridge where technical revelations evolve into actionable insights. This crucial stage empowers organizations to bridge the gap between vulnerabilities identified and fortified resilience. This section underscores the indispensable role of clear and comprehensive penetration testing reports, delving into the crucial components that constitute an effective report. These components encompass vulnerability descriptions, exploit scenarios, risk ratings, and actionable recommendations for remediation. The significance of risk assessment and the strategic prioritization of vulnerabilities based on their potential impact are also the top considerations in this transformative process.

Importance of Clear and Comprehensive Penetration Testing Reports: Guiding the Path Forward

Penetration testing reports act as beacons, illuminating the way forward in an organization’s journey toward fortified security. They filter technical complexities into accessible insights that resonate with stakeholders across departments, ensuring a unified understanding of vulnerabilities and the imperatives for action. These reports form the bedrock for informed decision-making, influencing resource allocation, mitigation strategies, and continues improvement.

Key Elements of an Effective Report: Weaving Insights into Actionable Roadmaps

  1. Vulnerability Description: These concise narratives offer a panoramic view of each vulnerability, encapsulating its nature, point of origin, and potential implications. Vulnerability descriptions briefly deliver the essence of the security flaw to both technical and non-technical stakeholders.
  2. Exploit Scenarios: By crafting clear scenarios, penetration testers provide examples of how each vulnerability could be exploited by malicious actors. These scenarios offer a tangible picture of potential breaches, facilitating a deeper understanding of the risks at hand.
  3. Risk Rating: The assignment of risk ratings quantifies the potential impact of vulnerabilities. This multidimensional assessment encompasses factors such as the probability of exploitation, the extent of potential damage, compliance implications, and potential financial loss. Risk ratings lay the foundation for prioritization and resource allocation.
  4. Actionable Recommendations: The heart of the report lies in actionable recommendations that describe a roadmap for fixing the vulnerabilities. These recommendations outline practical steps for immediate mitigation, as well as long-term strategies for sustained security enhancement.

Significance of Risk Assessment

Risk assessment paints a comprehensive portrait of an organization’s web application vulnerabilities, enabling stakeholders to comprehensively grasp the extent and implications of potential breaches. By categorizing vulnerabilities based on risk, organizations strategically allocate resources to address the most severe threats. This tactical approach ensures efficient and effective mitigation efforts.
Risk assessment guides decisions related to risk acceptance, mitigation strategies, and the allocation of budgets and manpower. Stakeholders gain a nuanced understanding of vulnerabilities’ potential impact, facilitating informed choices.

Prioritizing Vulnerabilities

  1. Vulnerabilities with high potential for severe consequences and notable risk ratings demand immediate attention. These vulnerabilities carry the capacity to inflict substantial damage to an organization’s digital assets and reputation.
  2. Vulnerabilities that are easily exploitable or offer attackers significant leverage in control or data access warrant swift remediation efforts.
  3. Vulnerabilities that intersect with regulatory compliance requirements require prompt attention to avoid legal and financial consequences.
  4. Vulnerabilities that could result in unauthorized access to sensitive data or provide a steppingstone for network compromise should be prioritized.

7. Conclusion

In a digital landscape where web applications serve as the core of modern communication and commerce, the importance of web application penetration testing cannot be overstated. This process, rooted in proactive assessment and ethical hacking, empowers organizations to identify vulnerabilities, assess risks, and fortify their digital assets. As we dig deeper into the complexity of web application penetration testing, we embark on a journey to not only understand the complexities of securing web applications but also to develop a proactive cybersecurity culture that safeguards the digital foundations of our interconnected world.

 

Olivia Meydina Ayu Wardani: The Art of Continuous Self-Improvement

Today we are introduced to Olivia Meydina Ayu Wardani (Olivia), one of Mitrais experienced Analysts. Growing up in her hometown of Tulungagung in East Java, Olivia completed her schooling there and then ventured more than 600km to the prestigious Telkom University in Bandung.

She successfully completed her Bachelor of Information Technology there, planning to use her degree to secure a job in Jakarta. Applying for positions there, Olivia quickly felt overwhelmed by the size and pace of the capital, and decided to look for a career in the Bandung area where she was more comfortable. It was here that she found Mitrais more than 9 years ago. “It was like finding a gem for me” she says. “I would get to work in Bali initially – a perfect escape (who doesn’t want to go to the beach after work?)”.

It was a big change, but joining with a group of other fresh graduates meant being part of a new group of friends, learning, working and playing together. Since then, Olivia has been involved with many client projects giving her a great range of experience, and allowing her to grow her career within Mitrais. Working on such a variety of projects can bring challenges, of course. “On some projects, there are some older technologies,” she says, “and I sometimes worried that my skills may become degraded. But Mitrais’ Competency Development Centre (CDC) has my back, keeping my skillset up to date on rapidly evolving technologies through a constant range of training programs and certifications. This has always made moving between projects easier. After 9 years, I feel like an updated version of myself, now working with a Melbourne-based client in a senior role” she says.

Other things have changed for Olivia as well. Becoming a mother and relocating to Mitrais’ Yogya office has brought other challenges. “Joining Mitrais has allowed me the opportunity to have a great balance between work life and being a mother of 2” she says. “Everyone talks about work/life balance, but in Mitrais it is not a myth – and I love it! Time management is clearly the most important skill to develop, but my work with Mitrais allows me time to have a fulfilling career and still have time to play with my children, have hobbies after work and not feel overworked. Mitrais offers the opportunity for my family and I to be part of the company. My kids are welcome at social club events and company-organised sports events and retreats. They love that! I feel that I am growing with Mitrais, not only on my career, but personally as well.

Software Engineering is a volatile and dynamic environment. So how does Olivia stay ahead? “Keeping up with technology is always a big challenge in this industry.” Olivia says. “It is always evolving rapidly. Just as you master one technology, another is released. But Mitrais always offers me the chance to improve myself. The range of training available means that, should I want to learn something new or extend my knowledge on something I already know, I can simply request training and it can be provided. Added to this, there are so many opportunities to work with Mitrais clients using different skills that I feel that I am constantly improving. I experience so many different industries and people, and it’s great”.

So, what is Olivia’s verdict on a career in Mitrais? “Mitrais gives me the opportunity to work on interesting projects, and to study, enhance or even restart my skills as I want to. Continuous development like this keeps me pumped to keep going, and ensures that I am never bored. And if I ever feel tired or overwhelmed by all of this learning, there are so many Mitrais social clubs and activities available to give me quality downtime. That balance makes Mitrais the best place to work – for me at least!”

We agree, Olivia, and we look forward to many more years working with you.