Service Offered: Pre Release Product Security Testing
Goal: To establish the security competence of a new product before launching into the market.
Client Profile
This client was a IT services firm engaged in building and selling of ERP packages to manufacturing units. At the time of this assessment, the client was 1500 members strong and was coming out with their latest product. They were involved in providing IT solutions to manufacturing units located in the Middle East.
Requirements
The ERP package being launched by the client was a comprehensive software bundle to cater to every need of a manufacturing unit. Provision to customize the product to suit the needs of any manufacturing unit was also present.
Owing to the huge brand value of the enterprise, there were a lot of expectations on the latest product. Therefore, the client was not willing to take any chance with the product and thus wanted a thorough security check performed on the product, including reverse engineering, etc in order to root out any vulnerability or threat hidden inside.
For, any security compromise of their product can affect the goodwill and brand value of the company immensely, not to mention the cost of damage control and other implications.
Our Solution
This client selected COE Security for being the exclusive and competent solution provider in the Product Security Testing space.
COE Security, on its part, has imbibed the COE Security’s research backed Pre Release Product Security Testing Lifecycle into the client’s enterprise. COE Security performed a detailed security assessment on the product in question and identified loopholes, some of which are listed below.
The presence of a Time Bomb was detected which could crash the application every alternate month owing to a conflict in the internal working of the product. It was found that this time bomb was injected inadvertently by one of the developers.
A malicious executable code was also found to be present in the product that was injected in the last build. This code had the ability to provide remote access.
A detailed and comprehensive report was furnished to the client with the above findings and also other such revelations. Suggestions and recommendations were also made to enable the client in protecting against future threats and related risks.
Impact
COE Security's revelations have enabled the client in streamlining their product further and making it more efficient in terms of security.
Customer Industry: Logistics
Service Offered: Reseller Product Security Testing
Goal: To establish the security competence of a new product before marketing it.
Client Profile
This client was leading player in the reselling segment. The stable of products that he marketed ranged from heavy duty games to large scale ERP packages. Their customer list contained most of the large companies in the world. Being in this business for over a decade, they built up a very good brand value in the market and thus were very meticulous about every product they distributed.
Requirements
The product in question was a Personal Assistant program. This product kept track of virtually every aspect of one’s life – from birthdays and weddings to meetings and seminars. It had a customizable address book and accounts manager. It even had the capability of automatically connecting to the Internet and sending messages to any preset addresses. To add to all this, it boasted of an authentication mechanism the prevented unauthorized access to private information.
Since this product held private information of an individual, the client wanted to have a stringent security assessment performed on the product. Because any breach in the security of this product can have a devastating affect on the client’s goodwill, brand value and finances.
Our Solution
This client selected COE Security for being the exclusive and competent solution provider in the Product Security Testing space.
COE Security, on its part, has imbibed the COE Security’s research backed Reseller Product Security Testing Lifecycle into the client’s enterprise. COE Security performed a thorough security assessment on the product in question and identified loopholes, some of which are listed below.
The most dangerous threat - a Proxy Trojan was detected in the address module of the product. A Proxy Trojan turns the victim’s computer into a proxy server, making it available to the whole world.
It was found that one of the developers of the product had unintentionally left a backdoor in the product. This backdoor allowed access to a user without proper authentication.
A detailed and comprehensive report was furnished to the client with the above findings and also other such revelations. Suggestions and recommendations were also made to enable the client in protecting against future threats and related risks.
Impact
COE Security's revelations have enabled the client saving huge sums of money in compensations and losses. They had immediately stalled their plans of marketing this product and reverted back to the vendor of the product with the finding
Customer Industry: Business
Service Offered: Pre Deployment Product Security Testing
Goal: To assess the robustness of a new firewall product that the client intends to deploy in their organization.
Client Profile
The client is a leading management consultancy firm with operations in over 40 countries. Their activities include auditing, management consultancy and advertising. They cater to the who’s who of the corporate world and are, at any given point in time, in possession of confidential financial and business information of their customers.
Requirements
Given that the client is in possession of sensitive information at all times and given the growing risk perception in terms of corporate espionage, the client decided to deploy a new and updated firewall into their enterprise. But, there was always a chance that the new firewall, though from a reputed vendor, has some security loopholes which could compromise the information integrity of the client. They couldn’t take that chance. Therefore they requested a comprehensive security check on the product before deployment into their organization.
Our Solution
This client selected COE Security for being the exclusive and competent solution provider in the Product Security Testing space.
COE Security, on its part, has imbibed the COE Security’s research backed Pre Deployment Product Security Testing Lifecycle into the client’s enterprise. COE Security performed a thorough security assessment on the firewall and identified a few issues.
The firewall had an executable sniffer code inside that was disguised as a packet tracker. This program had the capability to sniff packets on the sly and transfer them to a remote location.
Upon investigation it was found that this code was injected during the transit of the product from the vendor to the reseller.
This is a reassertion of the fact that security assessment of any product has to be undertaken at every stage of the supply chain in order to guarantee a pristine product in the hands of the end user.
A detailed and comprehensive report was furnished to the client with the above findings and also other such revelations. Suggestions and recommendations were also made to enable the client in protecting against future threats and related risks.
Impact
COE Security’s revelations have enabled the client in saving huge sums of money in compensations and losses. After this, they get every product thoroughly checked by COE Security before deployment into their organization.
Customer Industry: Banking and Finance
Service Offered: Enterprise Product Security Testing
Goal: To ascertain the current security susceptibility level of the enterprise in terms of the software installed on its internal network PCs.
Client Profile
This enterprise was a large financial institution located in the state of Washington, United States. Its daily operations involved all the typical banking and stock market related services. At the time of this assessment exercise, the enterprise had a customer base of over 12400 customers and was growing at a very fast pace.
Requirements
Owing to its rapid growth, it always posed a threat to its competition. Also, to further fuel it progress, the Internet was being used widely across the organization for carrying out online transactions. This prompted the client to get an assessment done on their current stable of software products in order to identify any signs of corporate espionage or product compromise.
Our Solution
This client selected COE Security for being the exclusive and competent solution provider in the Product Security Testing space.
COE Security, on its part, has imbibed the COE Security’s research backed Enterprise Product Security Testing Lifecycle into the client’s enterprise. COE Security performed a detailed security assessment of the complete list of installed products in the user PCs and servers and other network components. The list of products included financial products, office productivity suites, PDF readers, messenger clients, download managers, etc.
After an exhaustive assessment, COE Security found the following threats:
Adware programs hidden inside the download managers.
Mail clients and chat messengers were infected with stealth keyloggers.
Due to unverified downloads of various software by the employees, Spyware was found to be infecting the Internet Explorer browser and spreading rapidly across the network causing the network to be jammed all the time.
A detailed and comprehensive report was furnished to the client with the above findings and also other such revelations. Suggestions and recommendations were also made to enable the client in protecting against future threats and related risks.
Impact
The revelation enabled the client in reinforcing the security perimeter of the organization and also made the client realize the importance of regular assessments. They conduct Enterprise PST exercises at regular intervals in order to protect against potential threats in the future.
Customer Industry: Stock Broking
Service Offered: Web Application Penetration Testing
Goal: To assess the security vulnerability of the client’s online share trading portal.
Client Profile
A Fortune 500 company, with major stakes in Petrochemicals, Poly Chemicals, Telecommunications, Gas and Information Technology. This client, as part of its diversification spree was venturing into stock broking. For this they were setting up an online stock trading portal from which a user can carry out his share trading confidently.
Requirements
Provide secure transaction functionality to its online customers.
Check the susceptibility of the portal to hack attacks.
Facilitate confidentiality and integrity of customer information.
Our Solution
This client selected COE Security for expertise in assessing complex web applications for security risks.
COE Security, on its parts, has applied its research backed methodology in identifying the inherent security vulnerabilities in the portal. Based on just the provided IP, COE Security has been able to identify that
The portal is vulnerable to SQL Injection on its customer login page. Further, it was possible to dig out the internal database username and password of the 'sa' account.
It was possible to traverse the directories in the web server, thus, revealing the entire source code of the application.
It was vulnerable to Cross Site Scripting attack in over fifteen of its web pages. This vulnerability enabled an attacker to run malicious scripts on the server that logged user credentials and posted them to an outside server (attacker's server).
A detailed and comprehensive report was furnished to the client with all the findings coupled with a reconstruction of the performed attacks. Suggestions and recommendations were also made to enable the client in shielding his portal from security risks in the future.
Impact
COE Security’s revelations have facilitated the client in making the portal more efficient and robust in terms of security. An early assessment has also saved huge sums of money in damage control and recovery.
Customer Industry: Business and Finance
Service Offered: Network Packet Security Testing
Goal: To assess the efficiency and identify the bottlenecks in the internal LAN of the client.
Client Profile
The client was a leading stock exchange in Europe. Everyday thousands of transaction worth hundred of millions were carried out in the exchange and a lot of this happened on the internal network of the exchange.
Requirements
To assess the efficiency of the internal network.
To identify any existing or potential bottlenecks resulting from employee activities or otherwise.
To identify wasteful usage of bandwidth.
To check for the presence of any malicious programs on the internal network like Worms, Spyware, Trojans, etc.
Our Solution
This client selected COE Security for expertise in assessing complex and large networks for security risks.
COE Security, on its parts, has applied its research backed methodology in identifying the inherent security vulnerabilities and threats in the network. A thorough analysis of the packets traversing the networks revealed many issues, some of which are:
A major part of the network bandwidth was being consumed by broadcast traffic.
A few systems on the network were infected by a spyware that was opening random ports on the PCs and sending unsolicited packets to other PCs on the network. This was leading to a heavy loss in network efficiency and employee productivity.
Sensitive information like usernames and passwords were being transmitted in cleartext form, making it easy for any malicious sniffer program to easily sniff and transfer the packets outside the network.
A detailed and comprehensive report was furnished to the client with all the findings coupled with screenshots and descriptions of the infected packets. Suggestions and recommendations were also made to enable the client in protecting against emerging network risks.
Impact
COE Security’s revelations have facilitated the client in making the network more efficient and lend productivity to the enterprise.
Customer Industry: Software
Service Offered: Piracy Testing
Goal: To assess the strength of the licensing mechanism in the given product. In other words, testing to check if the product can be converted to full version from a freely available demo version.
Client Profile
A multi national, product development company that has sales in excess of $400 million, all over the world. The client was planning to launch a commercial web development IDE into the market. This product supported the latest web development languages and had a very user-friendly interface. This interface enabled even a novice to put up his/her own web site in just a few mouse clicks. Also, the tool provided many features that made building a web site seem like a very easy job.
Requirements
As a marketing ploy, the company released a trial version of the software (shareware) which would work for a period of ten days, after which the user is required to enter a serial key and also register online and activate the product. Further, the trial version had only a limited number of features enabled; for the remaining features the user has to obtain a valid license from the product vendor or reseller. Upon completion of the trial period of ten days, the products would deny access to the user to the product and pop up a window every now and then, requesting the user to either purchase the product or uninstall it.
The strength of this protection mechanism had to be adjudged.
Our Solution
The client selected COE Security for being the exclusive and competent solution provider in the Piracy Testing space. COE Security performed a detailed assessment on the product in question and identified loopholes, some of which are listed below.
With the application of a few reverse engineering techniques, it was possible to retrieve a working licence key from the product.
The activation splash screen could be bypassed by following some reverse engineering techniques.
A detailed and comprehensive report was furnished to the client with the above findings and other such revelations. Suggestions and recommendations were also made to enable the client in fortifying the licensing mechanism in the product.
Impact
COE Security's revelations have enabled the client in streamlining their product further and making it more efficient in terms of security.
Note: Due to strict privacy policies and Non Disclosure agreements signed by us, we are unable to furnish customer details in the case studies.
