Manual Penetration Testing for ContractPal



Similar documents
Transformation of Disparate Legacy Software Applications into Complex SaaS Platform

Distributed Agile Practice for the Healthcare Solution

Reporting and Analytics Solution for Kony, Next-Gen Mobile PaaS Company

Big Data Web Analytics Platform on AWS for Yottaa

Automated Performance Testing of Desktop Applications

Maximize Profitability With SoftServe s Software Asset Management Solution for ISVs

Information Security Services

Why You Need to Test All Your Cloud, Mobile and Web Applications

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

Introduction to Penetration Testing Graham Weston

Procuring Penetration Testing Services

Penetration Testing in Romania

Penetration Testing Services. Demonstrate Real-World Risk

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Penetration Testing. I.T. Security Specialists. Penetration Testing 1

Effective Software Security Management

Ukraine IT outsourcing market. June 12, 2013

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Keeping your data yours

Application Security Audit Fault Injection Model, Fuzz Generators & Static Code Analysis. Training Brochure

End-to-End Application Security from the Cloud

Ethical Hacking and Penetration Testing Presented by: Adam Baneth Managing director

Keeping your data yours

How To Test For Security On A Network Without Being Hacked

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Paul Vlissidis Group Technical Director NCC Group plc

Your world runs on applications. Secure them with Veracode.

Application Backdoor Assessment. Complete securing of your applications

Top Challenges in Payroll & HR

Pentests more than just using the proper tools

Security Testing for Web Applications and Network Resources. (Banking).

Pentests more than just using the proper tools

G-Cloud IV Services Service Definition Accenture Cloud Security Services

Proactive Threat Management using Global Threat Intelligence

Cybersecurity and internal audit. August 15, 2014

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Enterprise-Grade Security from the Cloud

Security within a development lifecycle. Enhancing product security through development process improvement

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

PENETRATION TESTING GUIDE. 1

Successful Strategies for Implementing SaaS/Cloud Solutions in Healthcare

Contact Center Security: Moving to the True Cloud

LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright Security Compass. 1

DRUPAL WEBSITE PLATFORM BUYER S GUIDE

Reporting and Analytics Solution for Next-Gen Mobile PaaS Company

MANAGING CYBER RISK IN THE SUPPLY CHAIN

Cyber Security for Competitve Advantage: How SaaS Providers are Transforming their Business

Penetration Testing. How Government Can Achieve Better Outcomes. Delivered by Murray Goldschmidt, Chief Operating Officer

Part Banker. Part Geek. All Security & Compliance.

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Digi Device Cloud: Security You Can Trust

Chapter 2: The hidden flaws in Windows

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Building a Corporate Application Security Assessment Program

Penetration testing & Ethical Hacking. Security Week 2014

State of the Applications : Only 11% of Information Security Managers Feel Their Applications are Secure. 1/11

IT Security Testing Services

IoT & SCADA Cyber Security Services

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Windows XP End-of-Life Handbook for Upgrade Latecomers

Big Analytics: A Next Generation Roadmap

white SECURITY TESTING WHITE PAPER

Presented by Evan Sylvester, CISSP

The Importance of Cybersecurity Monitoring for Utilities

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

DEFEND YOUR DATA DEFEND YOUR BRAND

Learn Ethical Hacking, Become a Pentester

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Industry Solutions Oil and Gas Engineering Document Control and Project Collaboration Solutions for Oil and Gas

Company Profile. First Page. Previous Page. Next Page. Last Page. A Member of Harel Mallac Group

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

The 2014 Software Development Trends. Survey Results

Web Application security testing: who tests the test?

ISSECO Syllabus Public Version v1.0

The business owner s guide for replacing accounting software

Securing SharePoint 101. Rob Rachwald Imperva

VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS)

Expert Services Group (Security Testing) Nilesh Dasharathi Sadaf Kazi Aztecsoft Limited

Continuous Network Monitoring

Cenzic Product Guide. Cloud, Mobile and Web Application Security

G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service

Your customers protected against cybercrime. New commercial opportunities for you

Application Security Report

Making your web application. White paper - August secure

The Advanced Cyber Attack Landscape

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

A Unified View of Network Monitoring. One Cohesive Network Monitoring View and How You Can Achieve It with NMSaaS

Develop your Legal Practice using Cloud applications, but

Cyber Security - What Would a Breach Really Mean for your Business?

Dynamic Security for the Hybrid Cloud

Surviving the Era of Hack Attacks Cyber Security on a Global Scale

HOW SECURE IS YOUR PAYMENT CARD DATA?

Spillemyndigheden s Certification Programme Instructions on Penetration Testing

Achieving Information Security

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Transcription:

Manual Penetration Testing for ContractPal Customer Background ContractPal, Inc. is a SaaS Business Process Outsourcing (BPO) company that has been offering its services and custom applications to a wide variety of businesses for over a decade. Their web-based technology saves time, money, and eliminates human errors by organizing, improving, and streamlining outdated processes with nimble cloudbased applications. case study

Business Challenge ContractPal provides solutions that process documents with sensitive data so they needed a reliable security assessment. Their customers require proof of regular code review and security audits, with a specific requirement for manual ethical hacking by a third party organization that is skilled and certified in performing penetration testing. This requirement as well as application specificity made an automated tool assessment ineffective, therefore ContractPal partnered with SoftServe to perform Manual Penetration Testing. We have a working relationship with SoftServe that spans several years. We know their engineers to be highly competent, well educated, and articulate and honest in their work. We selected SoftServe as our partner for this project because of our existing relationship and their written and verbal documentation representing their ability to deliver the service needed at a reasonable cost, said David Martineau, CTO, ContractPal. Project Description SoftServe`s Security team of three Certified Ethical Hackers executed the project in two weeks. The test process included manual penetration testing with the market s best security testing tools. The testing process included the following activities: 1. Dynamic application security testing 2. Manual penetration testing 3. Application source code analysis MANUAL PENETRATION TESTING FOR CONTRACTPAL 2

To ensure a comprehensive and well-rounded analysis, the security experts used the following methodologies: OWASP Application Security Verification Standard OWASP Testing Guide Penetration testing Execution Standard Test Planning Attack Vector Identification Penetration Attempt Post Exploitation Reporting & Recommendations Meeting with the customer Align test goals and scope Gather Intelligence Collect information about the system under test Potential weakness analysis Develop an attack scenario Exploit testing for found vulnerabilities Exploit bypassing protection Escalating privileges Infrastructure analysis Artifacts analysis Covering tracks Cleanup Create report for the system owner, including found vulnerabilities and recommendations for elimination The most critical vulnerability was identified during the manual stage of the assessment process. It was a Cross Site Request Forgery, which is ranked #8 in the TOP-10 Web application vulnerabilities list according to the OWASP rating. The team reported the identified vulnerabilities with detailed descriptions and video proof of each defect to help ContractPal s development team eliminate the bugs. Additionally, SoftServe provided technical recommendations on how to correct the identified security issues. MANUAL PENETRATION TESTING FOR CONTRACTPAL 3

Value Delivered The collaborative security teams performed the audit taking into account all of the client requirements as well as security best practices and helped ContractPal: Save costs and avoid penalties due to non-compliance with security policies Protect the company s brand and ensure the security of sensitive client information Ensure the application s security met the security requirements of their internal policy Open opportunities for collaboration as a trusted vendor/ partner with new clients The successful delivery of the project in a relatively short amount of time and on budget resulted not only in a clear and concise security analysis and overview, but several GB of log files that help us identify attack vectors. We were able to meet the requirements of our customers, identify areas to improve, as well as obtain patterns that can be analyzed to prevent future exploits. By having access to the codebase, SoftServe had the additional advantage of identifying potential weaknesses from an internal perspective, helping us produce a better product. Security and compliance are moving targets and building a secure and compliant infrastructure requires constant effort. Our regular reviews require us to work with organizations who are informed and maintain qualifications for performing assessments. We intend to continue our working relationship with SoftServe so long as they offer this service at the level we need, David Martineau, CTO, ContractPal. MANUAL PENETRATION TESTING FOR CONTRACTPAL 4

ebook About SoftServe SoftServe is a leading technology solutions company specializing in software development and consultancy services. Since 1993 we ve been partnering with organizations from start-ups to large enterprises to help them accelerate growth and innovation, transform operational efficiency, and deliver new products to market. To achieve this we ve built a strong team of the brightest, most inquiring minds in the industry, and we form close, collaborative relationships with our clients so we can really understand their needs and deliver intuitive software that exceeds their expectations. Our experience stretches from Big Data/Analytics, Cloud, Security and UX Design to the Internet of Things, Digital Health and Digital Transformation, we have offices across the globe and development centers across Eastern Europe. For more information please visit www.softserveinc.com. USA HQ Toll Free: 866-687-3588 Tel: +1-512-516-8880 Ukraine HQ Tel: +380-32-240-9090 Bulgaria Tel: +359-2-902-3760 Germany Tel: +49-69-2602-5857 Netherlands Tel: +31-20-262-33-23 Poland Tel: +48-71-382-2800 UK Tel: +44-207-544-8414 EMAIL info@softserveinc.com WEBSITE: www.softserveinc.com MANUAL PENETRATION TESTING FOR CONTRACTPAL 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information