Code Review and Pentesting in 7 Days to Prevent Critical Issues Before App Launch
Customer
The Customer is an award-winning European IT company that develops tax and accounting products. These solutions are designed to facilitate tax return and corporate tax computation processes, and provide the Customer’s clients with the opportunity to file taxes digitally.
Challenge
The Customer was interested in ensuring a high protection level of their cloud-based application for tax returns before offering it to their clients. Therefore, they turned to ScienceSoft to get automated and manual source code reviews and penetration testing of their product before its release.
Solution
ScienceSoft’s security testing team had 7 days to perform source code reviews and penetration testing required by the Customer. The major objective was to reveal if attackers could access the clients’ sensitive data stored in the Customer’s cloud.
An automated source code review was carried out with IBM Application Security on Cloud, while ScienceSoft’s solution architect conducted a manual source code review. The combination of manual and automated checks allowed the security engineers to get an in-depth understanding of the critical issues found in the source code of the Customer’s cloud application. The exploitation of the identified weaknesses could interrupt the solid work of the app, affect the security of the data stored in the cloud and lead to data (users’ passwords, for example) leakage.
Upon completing the source code reviews, the security testing team drew up the list of the issues with their detailed description and measures recommended to correct them.
ScienceSoft’s security engineers conducted penetration testing, in the course of which the security testing team detected the susceptibility of the Customer’s cloud application to:
- Cross-origin resource sharing.
- Brute-force attacks.
- Users’ passwords decrypting when stored in temporary storage.
- Phishing attacks.
The security testing team managed to reveal a range of vulnerabilities of different severity levels. The security engineers defined the following corrective measures to deal with them:
- Configuring the domain policy that provided access to the resources of the Customer’s cloud app and the server.
- Adding failed login attempts limitation.
- Using a secret storage that allowed encrypting the passwords even when they were stored in the temporary storage.
- Ensuring that the cloud app and the server controlled the links through which the users could be redirected to possibly malicious websites.
Results
The Customer got the list of vulnerabilities revealed during the source code reviews and penetration testing of their cloud application for tax returns. The Customer received direct recommendations and corrective measures to implement and thus improve the security of their cloud app before placing it on the market and offering it to their clients. Solving the issues revealed by ScienceSoft’s security testing team would ensure a high protection level of the sensitive clients’ data stored in the Customer’s cloud.
Technologies and Tools
Metasploit, Wireshark, OpenVAS, Nessus, Burp Suite, w3af