Ciklum Solutions Quality Assurance Solutions Unit Security QA Services reference

Transcription

1 Ciklum Solutions Quality Assurance Solutions Unit Security QA Services reference Ciklum. All rights reserved Kyiv, 2015

2 Client: Platform: Technology: Tools: DanDomain Delivery: Website: Security testing methodologies used: 100 hours Web application, Web service ASP, ASP.NET, MS SQL, SOAP Burp Suite, Zed Attacking Proxy (ZAP), Skipfish, Arachni, W3AF, SQLMap, Metasploit Framework, OWASP Mantra. Open Web Application Security Project (OWASP) Testing Guide Research of OWASP Top 10 projects Open Source Security Testing Methodology Manual The Penetration Testing Execution Standard

3 About client It started in Everyone wanted to go online, but few people knew how, and no one yet saw the potential in making it simple. DanDomain is the story of three geeks who helped friends get their ideas out on the web. Two solutions became five, five became thirty, and it quickly became clear that good service was the key to good business. Half a million registered domain trades later, DanDomain still is about the same. Our goal is to help customers get their ideas out on the web, turn ideas into success stories, and better maintain control. The story of DanDomain is, in many ways, the history of the Internet in Denmark. We kept up with how new technology provided new opportunities of e-commerce, productivity improvements, and the outs ourcing of corporate IT operations.

4 The situation The client contacted Ciklum s QA Solutions to assess and test DanDomain s Payment system s security (web application and web service). According to the Payment Card Industry Security Standards Council, organizations can use penetration testing to identify vulnerabilities, to determine whether unauthorized access to their systems or another malicious activity is possible. Penetration testing is a critical tool to verify that appropriate segmentation is in place to isolate the cardholder data environment from other networks, the council affirmed.clearly, Ciklum Application Security Team conducted Penetration testing phase on the payment system live environment. With Security QA services, Ciklum offers an understanding of real-world risks towards organization from the perspective of an attacker. It goes beyond the limitations of automated scanning and gives information about possible application vulnerabilities.

5 The solution During the Penetration Testing Phase, Ciklum Team s activities were divided into four main streams: Initial Planning Initial Discovery Initial Validation Initial Reporting Ciklum Application Security Team completed the following during those four streams: 1. Automated crawling and scanning (unauthenticated, authenticated) Based on the results of the Penetration testing phase, Ciklum Application Security Team conducted the following: 1. Security training session for application developers 2. Manual review and customized fuzzing (unauthenticated, authenticated) 3. Vulnerabilities identification and validation, evidence collection, and risks evaluation 2. Training presentation and security guidelines preparation (containing all detailed materials from session) 4. Security issues report generation (including all recommendations)

6 The result During Penetration Testing phase, 23 security issues were identified, including: critical risk high-risk medium risk low risk We must admit that the Security Assessment prepared by the Application Security Team as a part of the Web application security review was an eye-opener within the project. To conclude the penetration testing phase results, we organized a security training and consulting session based on OWASP s top 10 project materials. Our engineers, in a timely manner, highlighted and discussed a lot of design and implementation problems. We ve prepared a live demonstration of common and identified vulnerabilities. Additionally, the Ciklum Application Security Team has shared their experience and best practices in the development of secure software architecture and design.

7 Team Oleksandr Maidaniuk Head of Quality Assurance Solutions Artem Metla Senior Security QA Engineer We had the pleasure to work with the Ciklum Quality Assurance Solutions Unit with our online payment system. The Security team did penetration testing and delivered a detailed report about findings, made a thoroughly walkthrough of issues with our developers, both in way of how an attack could be done as well as how to prevent it. Furthermore Ciklum ensured that our developers was updated about the latest within web security and did online OWASP training. The Ciklum Quality Assurance Solutions Unit did professional job, and I would not hesitate to make use of them in the future. Karsten Riisager, Head of Development, Webshop, DanDomain

8 About Ciklum Ciklum is a top-five global Software Engineering and Solutions Company. We deliver software engineering excellence to Fortune 500 and fast-growing organizations alike around the world. Our Developers located in the Delivery Centres across four continents, provide our clients with a range of services including Extended Software development teams, Quality Assurance, R&D, Product development and Engineering Consulting. For more information about us visit ciklum@ciklum.com Telephone Ciklum. All rights reserved Kyiv, 2015