Manual Penetration Testing for ContractPal
ContractPal provides solutions that process documents with sensitive data and thus, needs reliable security assessment. Their customers require proof of regular code review and security audits, with a specific requirement for manual ethical hacking by a third party organization that is skilled and certified in performing penetration testing. This requirement made an automated tool assessment ineffective, therefore ContractPal partnered with SoftServe to perform Manual Penetration Testing.
“We have a working relationship with SoftServe that spans several years. We know their engineers to be highly competent, well educated, and articulate and honest in their work. We selected SoftServe as our partner for this project because of our existing relationship and their written and verbal documentation representing their ability to deliver the service needed at a reasonable cost,” said David Martineau, CTO, ContractPal.
SoftServe`s Security team of three Certified Ethical Hackers executed the project in two weeks. The test process included manual penetration testing with the market’s best security testing tools. The testing process included the following activities:
- Dynamic application security testing
- Manual penetration testing
- Application source code analysis
To ensure a comprehensive analysis, the security experts used such methodologies as OWASP Application Security Verification Standard, OWASP Testing Guide, and Penetration testing Execution Standard. The team reported the most critical vulnerabilities (namely a Cross Site Request Forgery which is ranked #8 in the TOP-10 Web ap plication vulnerabilities according to OWASP) with detailed descriptions and video proof of each defect to help ContractPal’s development team eliminate the bugs, along with technical recommendations on how to correct the identified security issues.
The collaborative security teams performed the audit taking into account all of the client requirements as well as security best practices and helped ContractPal:
- Save costs and avoid penalties due to non-compliance with security policies
- Protect the company’s brand and ensure the security of sensitive client information
- Ensure the application’s security met the security requirements of their internal policy
- Open opportunities for collaboration as a trusted vendor/partner with new clients
“The successful delivery of the project in a relatively short amount of time and on budget resulted not only in a clear and concise security analysis and overview, but several GB of log files that help us identify attack vectors. We were able to meet the requirements of our customers, identify areas to improve, as well as obtain patterns that can be analyzed to prevent future exploits. By having access to the codebase, SoftServe had the additional advantage of identifying potential weaknesses from an “internal” perspective, helping us produce a better product. Security and compliance are moving targets and building a secure and compliant infrastructure requires constant effort. Our regular reviews require us to work with organizations who are informed and maintain qualifications for performing assessments. We intend to continue our working relationship with SoftServe so long as they offer this service at the level we need,” David Martineau, CTO, ContractPal.