Goals
- Conduct Penetration Testing on Web Application, Web Service (API), Mobile App to identify vulnerabilities
- Conduct Penetration Testing on Infrastructure platform to identify vulnerabilities
- Suggest / Provide remediation actions for the discovered vulnerabilities
- Conduct code reviews and propose best coding practices to reduce the number of vulnerabilities
Results
- The applications were secured against common threats
- Clear penetration testing strategies and process were setup for subsequent releases
- Code review & guidelines helped in reducing the number of vulnerabilities in subsequent releases
Approach
- Penetration tests were conducted by Certified Ethical Hackers
- A highly consultative approach was used for Result Oriented Testing
- Conducted white box testing on the Web Application, Web Service (API), Mobile App using tools
- Conducted penetration testing to identify authentication by pass, privileged escalation & SQL, Script injections
With the increase in cyber threats and attacks it became high priority for the customer to conduct penetration testing and setup clear process & development guidelines. Also, it was important to practice and conduct penetration testing for every release to ensure security of the application.
The eLearning application was developed using Single Page, REST API’s and native Android, iOS Applications. Application was exposed to internet to enable the student community to learn on the go.
Solution
First step in conducting the penetration testing was to understand the overall application features, architecture, technology stack and development, release methodology used. Initial round of penetration was conducted using tools to find the common vulnerabilities such as:
- Authentication by pass
- Privileged Escalations
- Request, Parameter, Cookie Tampering
- Session Hijacking
- SQL Injection, Script Injections etc.
Post the initial testing with the tool’s general recommendations, remediation guidelines were provided to the developers to fix the issues. During this period, we involved with the senior developers for code reviews to identify the issues. Using these insights coding best practices were arrived, documented and training was provided to the developers.
Once the issues were fixed and released, we conducted another round of penetration testing using tools before starting with the manual sniffing to identify vulnerabilities with 3rd party integrations, API’s and scenarios where the tools do not gather the information. The test results were interpreted in business context eliminating false positives, highlighting the priorities and actions required.
Vulnerability Assessment & Penetration testing helped in discovery of security issues and remediation against common threats and setup of best practices for subsequent releases.
Penetration testing was incorporated in the release lifecycle to ensure vulnerabilities are identified and remediated early for subsequent releases.