Plans to develop the business can often be the trigger for a review of IT security. This was the case for our client, a leading retailer of consumer electronics.
The company was selling insurance products through an in-house application, but wanted to integrate this with a supplier’s web-based application. So the company asked us to conduct a security assessment to ensure that its own application and the supplier’s web services were secure and, in particular, that the integration of the two applications did not introduce any threat to the supplier’s application.
Our tests showed that the security for our client’s application and the associated infrastructure were generally good, although we did find a number of vulnerabilities. For example, some of the applications were sending sensitive data over a clear text channel, making it easy for an attacker to intercept. Some of the software installed on the servers was out of date. And a number of default pages containing sensitive information were accessible from various locations by unauthenticated users.
We also came across a number of SSL-related issues. Some of them allowed the level of encryption on the secure SSL channel to be lowered or allowed security features to be switched off completely. Finally, we found some issues related to input validation and server misconfiguration.
Despite these vulnerabilities, we were unable to find a way for potential attackers to do any serious damage to the system or the data stored within. However, we recommended resolving the issues we had identified in order to increase overall security. This allowed our client to start working more closely with its supplier, confident the new arrangement would not comprise either party’s security.
If your business requires a vulnerability assessment, speak to one of our penetration testers today or read more about our technical security and penetration testing capabilities.
If you would like to develop your own knowledge and skills in the latest growing information security testing techniques, then find out about our range of expert-led cyber security training courses.