Penetration testing was executed against Swiss cloud secure communication and collaboration platform. Testing methodology was based on OWASP Testing Guide and NIST standards as there was not only web application but also infrastructure. Results were classified with help of OWASP TOP10 and CVSS classifications.
About the customer
Swiss startup was providing secure communication and collaboration services like cloud secure hosting, secure messenger and cloud data storage for companies and individuals.
Aim of the project
Customer asked for help to assess their security and find possible vulnerabilities on application and infrastructure level in the model of black box.
In addition to the procedure for identifying vulnerabilities, was need to provide remediation plan with consultancy and assistance was also required in the process of eliminating vulnerabilities, followed by re-checking the results with re-testing included as additional milestone to this project.
Here we applied mostly manual approach with only 10% automation for infrastructure part, project duration was like 2 weeks of hard working with detailed final report in the end.
Results
As a result were identified several not critical (medium and low level) vulnerabilities except one high level vulnerability (type of injection) about which customer was informed during penetration test execution to be able to fix it as soon as possible. All other issues were included in the final report and fixed during remediation process, after re-test have been done – it showed zero vulnerabilities remain.
Some of the tools used on the project: Nessus, nmap, hydra, hping, siege, sqlmap, Vega, Acunetix, OWASP ZAP etc