By Lakshminarasimha Manjunatha Mohan
A Nordic bank with net banking, net loan and net agreements applications was utilizing a security consultant firm to perform Vulnerability Assessment and Penetration tests. This time, SPAN was given a chance to demonstrate its skills. The same applications were given to both SPAN and the consultant firm to carry out penetration tests on the same day with an intention of evaluation.
Description:
It was just another opportunity to showcase capabilities for SPAN. We were conducting penetration testing on the applications, and on the third day or so, we received a message from the System Owner that the other consultant firm had already submitted the test report to the bank. He was keen to understand our testing progress and more importantly check what and how many vulnerabilities we have found. We responded strongly that the testing is not complete. We are still have more tests to do and the tests are yielding many vulnerabilities. We took another two days to complete our testing and deliver the report. By then, our System owner was a bit anxious to know how our test went.
We received a response from the customer bank; we had 79 vulnerabilities reported out of which 63 were HIGH risk vulnerabilities related to OWASP Top 10, such as Cross Site Scripting, and the rest were low to medium risk vulnerabilities.
The consulting firm had reported 17 vulnerabilities, out of which, 13 were HIGH risk vulnerabilities. We were also informed that the vulnerabilities that we have reported included the 17 reported by the other consultant.
Finally, the customer had a question about how quickly we could solve the high risk vulnerabilities. It was a catch-22 situation; they had no much time left to go to the market and cannot go to without closing the security vulnerabilities. The decision was to find quick workaround solutions for the situation with minimal code changes or no code changes.
We recommended implementing a simple input sanitization filter as a quick fix to the problem and it was quickly implemented. The products were re-tested and released.
Take Home:
The process and procedures with the well-established methodology we followed ensured good testing, based on the risk analysis with Threat Models. It also helped us assist the customer to release their project/applications on time.
Read Story 1 at http://spansys.blogspot.in/2015/02/testing-stories-from-spans-trenches.html
Story 4 - Principled Work Culture with Good Process for the Context Yields
Context:
A Nordic bank with net banking, net loan and net agreements applications was utilizing a security consultant firm to perform Vulnerability Assessment and Penetration tests. This time, SPAN was given a chance to demonstrate its skills. The same applications were given to both SPAN and the consultant firm to carry out penetration tests on the same day with an intention of evaluation.
Description:
It was just another opportunity to showcase capabilities for SPAN. We were conducting penetration testing on the applications, and on the third day or so, we received a message from the System Owner that the other consultant firm had already submitted the test report to the bank. He was keen to understand our testing progress and more importantly check what and how many vulnerabilities we have found. We responded strongly that the testing is not complete. We are still have more tests to do and the tests are yielding many vulnerabilities. We took another two days to complete our testing and deliver the report. By then, our System owner was a bit anxious to know how our test went.
We received a response from the customer bank; we had 79 vulnerabilities reported out of which 63 were HIGH risk vulnerabilities related to OWASP Top 10, such as Cross Site Scripting, and the rest were low to medium risk vulnerabilities.
The consulting firm had reported 17 vulnerabilities, out of which, 13 were HIGH risk vulnerabilities. We were also informed that the vulnerabilities that we have reported included the 17 reported by the other consultant.
Finally, the customer had a question about how quickly we could solve the high risk vulnerabilities. It was a catch-22 situation; they had no much time left to go to the market and cannot go to without closing the security vulnerabilities. The decision was to find quick workaround solutions for the situation with minimal code changes or no code changes.
We recommended implementing a simple input sanitization filter as a quick fix to the problem and it was quickly implemented. The products were re-tested and released.
Take Home:
The process and procedures with the well-established methodology we followed ensured good testing, based on the risk analysis with Threat Models. It also helped us assist the customer to release their project/applications on time.
Read Story 1 at http://spansys.blogspot.in/2015/02/testing-stories-from-spans-trenches.html
No comments:
Post a Comment