Penetration Testing for a Healthcare Software Vendor
About Our Customer
The Customer is a US-based software development company that delivers innovative cloud-based solutions for healthcare. Over two decades, it has fostered secure and efficient data handling and exchange across 50,000 healthcare facilities, including hospitals, clinics, and labs.
Regular Pentesting to Prevent Data Breaches and Stay Compliant
As a provider of software that gathers, processes, and stores protected health information, the Customer must comply with HIPAA requirements. To avoid the financial losses and reputational damage a data breach can cause, the Customer relies on a comprehensive security program that includes regular penetration testing. So, the Customer was looking for a competent cybersecurity partner to perform an independent security checkup. The company chose ScienceSoft as an ISO 27001-certified vendor with hands-on HIPAA compliance experience and a solid portfolio of pentesting projects. For two consecutive years, ScienceSoft has performed annual penetration testing of the Customer’s web applications and IT infrastructure components.
Pentesting Detected Potential Entry Points for Cyberattacks
The Customer appreciated the pragmatic approach and cybersecurity expertise that ScienceSoft had demonstrated during previous engagements. Plus, as the testers were already familiar with the Customer’s IT environment, they could perform the pentests faster and at a lower cost. Hence, the Customer was eager to invite our team for another project. This time, the testing scope included 4 web applications, 45 API services, and the external network (60 public-facing IPs). The Customer and our security experts agreed on the gray box approach to ensure thorough vulnerability exploration within the set timeframe and allocated budget.
The vulnerability scanning and manual penetration testing activities revealed 15 security issues. ScienceSoft's team provided a list of the detected vulnerabilities and ranked them according to the OWASP Top 10, OWASP API Top 10, and NIST CVSS classifications. Our experts were glad to report that most of the security issues were of low severity. It was unlikely that potential attackers could successfully exploit them to get hold of the Customer's web apps and IT infrastructure. However, one of the web applications that had undergone significant modifications contained critical security flaws:
- Stored cross-site scripting (XSS). If hackers exploited the vulnerability, they could have obtained user credentials or sensitive data stored in the users’ accounts or browsers, could have hijacked user sessions, and acted on users’ behalf. Stored XSS attacks are rather dangerous: victims do not have to follow a malicious link or do anything other than use a web app in the usual way to get in trouble.
- Web application functionality allowed sending arbitrary emails to its users. If attackers exploited the vulnerability, they could have sent phishing emails to mislead the users or distributed spam to have the email server blacklisted.
ScienceSoft’s security experts recommended verifying the email sender and subject parameters on the back end to prevent email attacks. They also outlined a set of measures to minimize the risks of cross-site scripting attacks:
- Using an alternative HTML editor, e.g., BBcode editor.
- Validating user inputs against predefined criteria to prevent attackers from entering a malicious script designed to harm the web application.
- Sanitizing data after it has been posted to the web server but before it is displayed to a user.
- Securing cookies: e.g., tying them to particular IP addresses, blocking JavaScript from accessing cookies.
- Configuring web application firewall rules to block suspicious requests to the server, including cross-site scripting attacks.
After an agreed time, ScienceSoft's team performed a round of retesting. They confirmed the proper remediation of vulnerabilities and reported the high security level of the testing targets. Knowing the Customer's dedication to maintaining proper cyber defense, our security experts recommended several additional measures that could significantly improve the company's cybersecurity posture.
- Inventorying external and internal IT assets (preferably combined with vulnerability assessment). Complete visibility of all IT assets is crucial for security management: it helps ensure timely security checkups for business-critical data, apps, and IT infrastructure, upgrades and patches for outdated and vulnerable software, and more.
- Social engineering testing through email phishing attacks simulation. Since most cyberattacks start with a phishing email, social engineering testing is an efficient way to assess and improve the email security system and the employees' security awareness. It helps reduce the risk of common human errors that can compromise a company's cyber defense (like opening attachments from unknown recipients or entering sensitive data on fake websites).
Security Loopholes Eliminated Before Hackers Could Find Them
Thanks to the penetration tests performed by ScienceSoft, the Customer learned about the security weaknesses in its system that could lead to a data breach. With ScienceSoft’s remediation guidance, the in-house team promptly eliminated the detected security flaws. The retesting performed by our experts left the Customer confident in the security of its web applications, APIs, and external network. The Customer also got expert advice on how to further enhance its security strategy. The pentesting reports provided by ScienceSoft were added to the Customer’s compliance documentation.
Technologies and Tools
Metasploit, Nessus, Burp Suite, OWASP ZAP, Acunetix, Nmap, SoapUI, Postman, Sslscan, Nikto.