Web Application and API Penetration Testing for a Code Security Platform Provider
About Our Customer
The Customer is a US-based SaaS provider that offers a game-changing solution to many software development cybersecurity challenges. It has created a user-friendly code security platform with vast functionality, including AppSec training, cutting-edge SAST, container analysis, and more.
The platforms helps developers smoothly apply secure coding best practices, early detect and quickly remediate code security issues, avoid technical debt. Unltimately, the solution helps develop secure software and save time and money on fixing security issues later in the SDLC.
Upcoming SOC 2 Audit Urged for Independent Security Checkup
The Customer maintains SOC 2 certification to guarantee the security of its clients’ data and strictly follows the requirements outlined by the framework. As part of the preparation for the upcoming SOC 2 audit, the Customer wanted an independent penetration testing team to thoroughly check the security of its website, seven web applications, and one API.
Not fully satisfied with the services of its previous pentesting provider, the Customer was considering other candidates. The key vendor selection criteria were high-quality reports with comprehensive vulnerability descriptions and clearly outlined corrective measures, as well as experience with SOC 2 compliance.
Comprehensive Pentesting on a Tight Schedule
ScienceSoft was among the candidates for the project as an experienced vendor with 19 years of experience in cybersecurity and a dedicated SOC 2 compliance assessment service offer. Having reviewed ScienceSoft’s service proposal and sample reports, the Customer decided to entrust its pentesting project to our team.
To meet the 7-day deadline set by the Customer, ScienceSoft assigned two experienced pentesters for the project. To deliver accurate and comprehensive results, they planned and performed the testing activities in line with OWASP Web Security Testing Guide.
Upon the Customer's request, the team started with black box testing. Simulating the approach of real-world hackers, they scanned the website, web applications, and API for vulnerabilities and tried to exploit the detected security flaws.
The Customer also wanted to explore the security of one web application and its API in more detail. So, after the team finished black box pentesting, they received user and admin credentials to test these two targets according to the gray box approach.
The team was pleased to report that the Customer’s efforts in securing its website, web applications, and API paid off. The testers discovered only a few non-critical issues, in particular:
- Expiring SSL certificates. If the certificates were not timely renewed, a malicious actor could easily launch a man-in-the-middle attack. It could also do reputational damage to the Customer, as the visitors of its website and web applications would see the warning notification about an insecure connection.
- Misconfigured Content Security Policy (CSP) that allowed injection of malicious inline scripts and plugins. Hackers could use this vulnerability for data theft, site defacement, malware spread, and other purposes.
- Missing security headers that would offer additional protection against clickjacking, content sniffing, cross-site scripting, and other attacks.
All the detected vulnerabilities did not pose a serious risk, as it was unlikely that a potential attacker could successfully exploit them. However, to make sure that those minor flaws could not in any way facilitate a security breach, ScienceSoft recommended fixing them at the earliest convenience. The team described the necessary corrective measures: purchasing or generating new SSL certificates, adjusting the Content Security Policy, adding the missing security headers (X-Content-Type-Options, X-Frame-Options, HTTP Strict-Transport-Security, and more).
Guaranteed Security in Line with SOC 2
Having eliminated the security issues revealed by ScienceSoft’s pentesters, the Customer was able to ensure full security of its website, web applications, and API before SOC 2 compliance audit. The final report provided by ScienceSoft’s team became a valuable addition to the Customer’s compliance documentation.
Technologies and Tools
Metasploit, Wireshark, Nessus, Burp Suite, Acunetix, Nmap, Dirb