Streamlined cybersecurity auditing & vulnerability assessment
Security Auditing & Vulnerability Assessment of Client's Application & Hosting Server
Customer gains 50% cost savings with streamlined security auditing and vulnerability assessment measures
A leading vendor who provides applications that integrate with the US government’s database.
The customer offers automated compliance software that integrates with any payroll. The software enables users to e-file and submit required documents to the national tax collection agency.
Since the application handles highly sensitive data, information security is of paramount importance. The customer faced the following challenges:
- Since a full-fledged security assessment of the application was not done before, it was difficult for the customer to gauge the level of application security, in the wake of emerging security threats. Customer had to ensure that their application is not vulnerable to threats like SQL injection, XSS, session hijacking, unencrypted transport layer communication etc.
- The server in which the application is hosted is a self-managed cloud server. It was not easy for the customer to understand how securely the server has been configured to prevent attacks like DOS, DDOS, brute forcing etc. They also had to review if the security measures implemented were adequate. Customer wanted to ensure that techniques like intrusion detection and prevention systems (IDS & IPS) are put in place to prevent and alert about such attacks.
- Need to verify if the application complies well with the accepted industry security standards.
- The customer must guarantee their clients that the client data remains safe, and essential precautions are taken to avoid any chances of data leakage, occurring due to technical flaws in the application or a security vulnerability in the server itself.
- Ensure that customer’s web application conforms to industry standard security practices like ISO 27001 and OWASP wherever applicable.
- Analysis of architectural and system configuration.
- Analysis of static code to find out if any vulnerabilities exist and if yes, frame the mitigation plan.
- Gap analysis of the hosting environment to identify the vulnerabilities that exist in the hosting environment including the servers, IDS/IPS, Firewall systems etc.
- Vulnerability scanning of the hosting platform including server, IDS/IPS and mapping the risk and threat levels.
- Vulnerability assessment of exposed services and protocols like HTTPS, RDP, SSH, SMTP etc.
- Analyze the presence and adequacy of encryption controls and detect any weakness in the encryption (SSL/TLS) layer.
- Run a penetration test to simulate real world attack and confirm that the discovered vulnerabilities are exploitable.
- Performed a web vulnerability scan to expose the vulnerabilities present in the application.
- XSS was discovered as a vulnerability present in the web application, which was mitigated through code amendments.
- Transport layer encryption was used, but it was vulnerable to Poodle attack. We helped the customer discontinue support for TLS1.0 and SSLV3. RC4 support was also discontinued, which solved the problem.
- Supported customer to set a redirection to enforce all traffic through https.
- Modified firewall configurations to allow access to RDP and MSSQL services only from the administrative network. This avoided the unnecessary exposure of these services.
- Strengthened the server by applying all the missing security patches and set up a schedule for the server to self-patch automatically at regular intervals.
- Closed all unnecessary services in the server which were enabled by default.
- Prepared a detailed report on the results of the security assessment. The report listed down all the vulnerabilities along with their descriptions and corresponding evidences, to prove that the vulnerability exists and corrective actions are taken.
- Risk benefits: Customer now has complete visibility into the information security status of their application and can assure their clients that their data is 100% safe. They can also take sufficient precautionary measures in the wake of looming security threats.
- Cost benefits: We suggested the most cost-effective solutions to mitigate the risks that were identified during the assessment. Also, the customer’s data is now safeguarded from the probable consequences posed by an information security attack.
Results at a Glance
- 100%guarantee on data security
- 5ximproved visibility on any security flaws
- 50% cost savings with increased compliance
© 2005-2018 Zerone Consulting Private Limited. All Rights Reserved