Pentesting for Apifonica to Enhance Web Applications and IT Network Security
ScienceSoft conducted black box, white box, and gray box penetration testing of the IT network and web apps, as well as an email phishing campaign for a smart communication solutions vendor. As a result, the Customer was able to enhance their IT security posture and ensure their clients’ data protection as required by GDPR and ISO 27001.
Apifonica is a smart communication technology vendor headquartered in Estonia. Operating in 9 countries across Europe, they power businesses with automated solutions for fast and cost-effective communication with customers: smart voicebots, SMS, and global telephony. Apifonica’s products help their clients optimize business processes, achieve higher lead generation and conversion and increase customer satisfaction.
Aiming to improve their cyber defense and protect their clients’ data according to GDPR and ISO 27001, Apifonica wanted to test their IT network, web applications used to support their internal processes as well as their software products to reveal and eliminate potential security gaps. They were looking for a reliable security testing provider that could be physically present in the EU during the project. With 19 years in cybersecurity, vast security testing portfolio, offices in the EU, ISO 27001 certification and working experience with GDPR compliance, ScienceSoft fully met Apifonica’s vendor selection criteria.
Penetration Testing of Web Applications and Internal Network
Apifonica requested ScienceSoft to conduct comprehensive penetration testing of the applications and internal network with a special focus on their communication solutions. To get a full view of existing vulnerabilities and explore all possible cyberattack scenarios, ScienceSoft decided to apply all three main approaches: black, gray, and white box pentesting. Our team designed and carried out testing activities in three consecutive stages:
1. Black box testing of the web apps and APIs that support Apifonica’s internal processes. The testers first approached the target web apps and APIs without any prior knowledge of them. They closely simulated real-world hackers’ actions to detect vulnerabilities that could serve as entry points to break through Apifonica’s external security perimeter.
2. Gray box testing of the internal network. At this stage, ScienceSoft’s security engineers received limited information about Apifonica’s internal network — user credentials and networks architecture — and tested 76 IPs. They explored how a potential intruder could compromise the company’s sensitive data and IT assets once they entered the system.
3. White box testing of Apifonica’s software products. The testers were provided with admin rights and full information about Apifonica’s communication solutions to detect all possible security issues. They were able to explore the source code of the web apps and APIs and perform targeted tests to define all possible attack vectors.
Upon the testing, Apifonica received a detailed report on the detected security gaps, including:
- Poor or missing authentication mechanisms.
- Access control vulnerability: one user could see or modify the information of another user even if they didn’t have permission.
- Absent brute-force protection (e.g., a request rate limit or account lockout after a certain number of failed logins), allowing a potential attacker get hold of user credentials or other sensitive information.
- Outdated software with known vulnerabilities that could enable remote code execution, information disclosure, and denial of service attacks.
- Unprotected communication due to using TCP Port 80 that sent unencrypted responses.
The 18 detected vulnerabilities were categorized by their severity and likelihood of exploitation, allowing Apifonica’s team to prioritize remediation steps. Apifonica also got detailed guidance on the necessary corrective measures to achieve the high security posture such as:
- Enforcing strong authentication mechanisms.
- Implementing request rate limit and enabling account lockout.
- Reviewing Universal Unique Identifier (UUID) system and implementing additional authentication checks.
- Updating and patching vulnerable software.
- Using Port 443 instead of Port 80.
Guided by the report and remediation roadmap provided by ScienceSoft, Apifonica’s team were able to promptly fix the discovered vulnerabilities. After the retesting by ScienceSoft, Apifonica got a tangible proof of increased data protection as required by GDPR and ISO. 27001.
Email Phishing Campaign
Knowing that human error or negligence may sabotage even the strongest IT security systems, Apifonica wanted to check if their employees could resist social engineering attacks. ScienceSoft’s team simulated bulk phishing attacks using emails with malicious links and fake login forms. They revealed several cases of careless employee behavior that could lead to a security breach.
Ilya Ostrovskiy, Chief Product Officer at Apifonica, says:
“During the project, ScienceSoft’s team found 18 vulnerabilities, delivered a detailed report on all the detected issues, and provided recommendations on how to improve the security of the tested objects. They also provided comprehensive answers to all our questions during and after the testing and assisted with remediation of the discovered vulnerabilities. The team conducted penetration testing in line with all of our requirements, one of which was performing the project within the EU borders in order to comply with the GDPR regulations. Thanks to their efforts we managed to greatly improve the quality and security of our solution.”
Key Outcomes for the Customer
- Increased security of the IT network, web applications used to support their internal processes and software products due to comprehensive black, gray and white box pentesting and actionable guidelines on vulnerability remediation provided by ScienceSoft.
- Enhanced cybersecurity awareness of the staff as a result of social engineering testing and follow-up employee training recommendations offered by ScienceSoft.
- Ensured protection of their clients’ data as required by GDPR and ISO 27001.
- Solid reputation of a secure communication solutions vendor and increased customer trust.