For a secure document management solution to be credible, security controls need to be watertight. Only then can users be confident about using the solution to store sensitive documents.
The client, one of the UK’s leading developers of electronic document management software, asked us to put its secure document management solution to the test. Documents stored on the application can be accessed on three different platforms: the document management Windows application, the online web portal and the iOS application for Apple mobile devices. Our security assessment covered all three.
Our testing showed that the application’s controls were not providing sufficient security and picked up a number of vulnerabilities that feature in the OWASP top ten, a widely used awareness document for web application security.
The assessment also identified a number of platform-specific weakness: the Windows version was vulnerable to SQL injection, a mechanism that allows attackers to retrieve data and hijack valid user accounts; the online version was vulnerable to Cross-Site Scripting, a technique that allows attackers to store malicious script inside an application; and the iOS version was storing unencrypted copies of documents, which were therefore accessible to anyone using a mobile device that had been previously used to access them.
Our report included detailed recommendations for closing these security gaps. We also gave an in-depth briefing to ensure our client understood the risk the missing security controls posed. Our work allowed our client to strengthen the application’s security significantly and eliminate the risk of a commercially damaging security breach.
If you require a remediation report for your business via from a comprehensive penetration test, contact a member of our penetration testing team or find out more about our technical security capabilities.