Our client is a leading player in the Financial and Insurance Services space (UK and worldwide).
- Lack of security testing resources and processes.
- Testing was carried out by the developers.
- Project had a well-detailed specification.
- Structured and formalized the security testing process.
- Created detailed security testing strategy and test plan.
- Created and maintained security testing test cases and check lists.
- Designed the architecture of the security test framework from scratch.
- Updated the Jira workflow.
- Integrated short team meetings to be sure all the team are on the same page.
The client was in the process of building a secure online insurance service application. They contacted us for performing security testing across the various components of their services. The nature of the engagement was to conduct a multitier architecture web application security assessment that included:
- AWS Cloud
- Amazon (AZ) Connect
- Salesforce Marketing Cloud
- Accenture Insight Platform
- Amazon Redshift
The information security experts from Vihat Technologies’ security testing team used a unique in-house developed methodology and an application driven framework, and completed the Web Application Security Assessment and Penetration Testing against all the various components and reported multiple critical vulnerabilities.
Key highlights of the security assessment are outlined below:
- Attack surface mapping of the entire application with every detail of the URLs, parameters, components and IPs that are being used in the application.
- Test cases were created based on the insurance application specific vulnerabilities such as price tempering, checksum related flaws, security misconfiguration, payment integration flaw, access control flaws etc. in conjunction with various sections that were mapped.
- Security testing conforming to OWASP top 10 and severe business logic vulnerabilities for web, cloud and network interface.
- Automated scans using various open source & commercial scanners.
- Test case verification by manually confirming each of the potential test cases identified above.
Vihat Technologies team educated the application owner about the risks and created a risk mitigation plan. The first cycle of the engagement involved identifying all the vulnerabilities in the client’s website. Subsequently, the engineers leveraged the known vulnerabilities to further penetrate the client’s application architecture and identify the true impact of the vulnerabilities.
The reports and remediation information provided were customized to match the client’s operational environment and development framework. The following reports were submitted:
- Daily Execution Summary Report: Details of the vulnerabilities identified during the day and progress of execution on a daily basis on Microsoft’s VSTS vulnerability reporting and management tool.
- Executive Presentation: Overview of the entire engagement, the vulnerabilities discovered and the recommendations made to mitigate the threats identified on the client’s websites.
- Detailed Technical Report: Comprehensive information and detailed exploitation instructions of all the threats identified.
Tools & Technologies
Burp Suite, Kali Linux, Metasploit, Nessus, Jira, Microsoft VSTS
By conducting thorough penetration tests and identifying vulnerabilities, Vihat Technologies reduced the client’s risk exposure in an environment where online shopping regulatory bodies are taking an extremely strict approach to security.
Additionally, we were able to bring in the following benefits –
1. Risk Benefits
The Vihat Technologies security testing team minimized the security risks by assessing the customer’s infrastructure and business solution specific vulnerabilities and recommended solutions with proven methods to enhance the security. Some of the major vulnerabilities discovered were –
- SQL Injection
- Security Misconfiguration
- Insecure CORS
- Misconfigured S3 buckets
- Hard-coded sensitive credentials
- Cross Site Scripting
- Broken Authentication and Session Management
- Order Management Flaws
- Payment Integration Flaws Privilege Escalation
- Session Hijacking
2. Cost Savings
- Vihat Technologies suggested the cost-effective risk-mitigation measures based on the customer’s business requirements that would ensure security and continuity of the business.
- Reduced the significant financial impact and disruption to the hard business deadlines.
- The Client will be able to utilize the information gained from the engagement for compliance purposes.