Web Application Penetration Testing for a Professional Conference Organizer
Customer
The Customer is a US-based organization that arranges international conferences for researchers in applied sciences like medicine sciences and engineering. In the recent years, they have been holding more than 200 events annually.
Challenge
The Customer needed to evaluate the security level of their new web application that would help them manage conference planning and coordination: from registering attendees to traveling and accommodation arrangements. Before launching the app, they wanted to ensure that it didn’t contain any security flaws that could compromise the Customer’s or the conference participants’ data.
The Customer was looking for a reliable security testing vendor with proven technical expertise and high service quality. Other essential requirements included conducting penetration testing on short notice (within only two weeks), a clear reporting format, and actionable recommendations on fortifying the web application’s security.
Solution
Impressed with ScienceSoft’s vast cybersecurity portfolio and positive references from our US-based clients, the Customer decided to entrust the pentesting project to ScienceSoft’s security team.
Taking into account the project’s time constraints, ScienceSoft’s security team opted for the gray box approach that allowed for thorough exploration of the Customer’s web application and 5 APIs within a short period of time. ScienceSoft’s security engineers were provided with credentials for testing under different user roles: Headquarters Staff, Venue Staff User, Organizer, Conferee. The testers planned and performed penetration testing according to the OWASP Web Security Testing Guide methodology.
Having exhausted all possible ways to break through the web application’s security, ScienceSoft’s security testers were pleased to report that there were no vulnerabilities a potential attacker could exploit. To help maintain such a high level of cyber defense and prevent any future data breaches, ScienceSoft recommended the Customer to establish consistent security management policies, such as:
- Performing continuous check-ups for known vulnerabilities: ideally, running vulnerability scanners once a week.
- Documenting all changes made to the web app and conducting vulnerability assessment and penetration testing after introducing any significant modifications.
- Performing regular backups of important data.
- Preparing an incident response plan, and more.
The entire project from planning to reporting on the testing results took 10 days.
Results
The Customer received tangible proof of the high security level of their web application. They also got actionable guidance on keeping their app protected against potential cyber treats.
Technologies and Tools
Nessus, Burp Suite, Acunetix, DirBuster, Postman, Vooki.