×
TestArmy ebook QA trends 2019

Be sure to download our new report and follow the latest trends in QA, Cybersec, IoT, DevOps and more!

DOWNLOAD

Case Study

National Information Processing - Security testing

About the client

National Information Processing is a state-owned institution that gathers and shares complex data concerning national education. IT also provides with IT systems that support the development of science and higher education in Poland.

Client’s need:

A public institution cannot allow any security breaches, so every system we’ve audited had to be thoroughly verified for flaws and misconfigurations. Those systems cooperate, store important information about Polish science and personal data. As they operate in an environment vulnerable to malicious attacks, they had to undergo acceptance tests.

Scope of the project:

We were contracted to run a security audit for 5 systems developed by NIP:

  • Navoica – free e-learning and online courses platform
  • POL-on – integrated information system containing data related to science and higher education
  • ORPPD – a database of defended thesis
  • Polish Science Bibliography – a catalogue of Polish researchers
  • Integrated Science Service System – Financial Stream Servicing – a system designed to register and service science funding requests, that composes of 8 modules

The process

Team

5 cybersecurity specialists working from TestArmy Group SA headquarters and partially in client’s office

Project length

23 weeks – finished on 24.05.2019

Value

184 500 PLN

Stage 1

For every system, we conducted penetration tests in which our specialists performed a simulation of breaking into systems in a black box method (without knowledge of source code and systems’ configuration) and identified security system’s weak spots.

We used automatic and manual methods or running the audit to check systems for vulnerabilities, such as:

  • SQL Injection
  • XML Injection
  • XSS (Cross Site Scripting)
  • CSRF (Cross Site Request Forgery)
  • Code Execution
  • Insecure Communications
  • Source Disclosure
  • Path Traversal
  • DoS (Denial of Service)
  • File Inclusion
  • Web server’s SSL mechanism security
  • Broken Authentication and Session Management
  • Authorization Bypass
  • Information Leakage
  • Deserialization of untrusted data

We’ve also analyzed authentication methods and performed external devices analysis. We used OWASP Vulnerabilities List to specify the type of attacks.

Stage 2

We performed a thorough white-box analysis of the systems. We focused on technologies used, possible vulnerabilities and worked on finding newer, safer electronic solutions.

We analysed:

  • systems’ and network documentation
  • the technical area of systems and their informatic environment
  • correctness and comprehensiveness of security infrastructure set
  • effectiveness of security solutions
  • IT systems for threats such as network attacks, data transmission hazard, application threats, communication threats, technical malfunctions, cryptographic threats and human errors

 

We analyzed source code and technologies used in each system, such as:

Javascript | MongoDB | Python | Open Edx | Apache Kafka | Java | Spring
KeyCloak Java | Spring Security | LDAP | MySQL | Angular | TypeScript
Lucene | ElasticSearch | Oracle | Oracle Business Intelligence EE
Oracle Data Integrator | Hadoop | Spring Boot | Apache CXF | Java 8
Struts 1.3 + JSP | JSF2/EJB/CDI + PrimeFaces | WildFly 10 | Oracle 12c

 

In the last stage of the audit, we performed control tests to check the installation and configuration correctness for the relevant IT systems.

The control consisted of:

  • Network layer audit
  • Operational systems layer audit (servers, matrices, libraries)
  • Database layer audit
  • Penetration tests performed inside the client’s office, to identify the possibility of successfully breaching the security systems from NIP’s HQ.

Results

We’ve tested

  • Almost 3 thousands unique subpages/forms
  • Over 5 million lines of source code
  • Over 160 types of users with different privileges

Security audit outcomes

  • We’ve gathered information about existing vulnerabilities and weaknesses in the security area of IT systems, network and IT environment we audited
  • We performed a reliable assessment of IT systems data security
  • Provided the client with a complex summary report wit suggestion of solutions to raise the systems’ security level. It serves as the basis for their development.

Do you need a free quote?

Write to us about your product
and we will take care of the rest.

QUOTE A PROJECT