The company engaged Planit through the recommendation of one of their existing software partners. We carried out an external penetration test against their solution and provided a report detailing any vulnerabilities discovered, potential impact, and recommendations to remediate the risks identified.
Planit’s security engagement model provides a tailored security assurance solution. It began with a discovery phase, where a preliminary review of the solution was completed.
The review enables identification of the areas of the solution to be targeted (a.k.a. the attack surface), the risk appetite, the attacker profile, and the appropriate assessment services. The results of this activity are captured as the scope and schedule, with the scope detailing the attack surface to be covered, and the schedule aligned to the project timeframe.
A basic threat model was defined, and an objective was established - to reveal if attackers could access the sensitive data stored in the data platform. The attacker profile was a proficient hacker who had Internet access exclusively.
For the reconnaissance phase of the penetration test, the web application was mapped out to determine all functionality present, roles available, and what functionality was present for each role in the system. The functionality was then investigated in further detail to determine which API calls were made on each page and for each action a user could do.
Based on the results of the reconnaissance, the security team identified potential weaknesses and entry points through the identification of common vulnerabilities, such as command/code injection, missing authorisations, sensitive data exposure, and outdated libraries that contain known vulnerabilities. The security team also investigated business logic holes that sometime become a blind spot to the development team and functional testers.
Our comprehensive report outlined the entire penetration testing process to clearly show what areas of the data platform were tested. If a vulnerability is positively identified, the report outlines what risks it poses for the system and business, and how the security team attempted to exploit it through weaponisation of proof-of-concept code, reverse engineering, and many other innovative ways and techniques of breaking in.
Our initial assessment identified that automated security scanning would not provide sufficient penetration to identify complex issues. Therefore, it was recommended most of it was done manually. This has the added benefit of closely simulating an actual attacker who is not a bot, but has expert technical computing skills, access to tools, and an intention to steal.