The security of Higson is our priority, which is why we periodically ask for security tests from various external penetration testing companies.
The latest penetration test was performed by Cyber Threat Defense. CT Defense is a CREST Certified Member in Penetration Testing.
They identified a few potentially vulnerable spots, which we promptly fixed and received confirmation from CT Defense. CT Defense made every effort to perform a thorough and comprehensive analysis and to provide appropriate remedial advice.
We’ve summarized the test results in this article.
We believe this is a part of our customer deployment services and environment setup for some findings — that’s why we created a security guide with best practices for our users.
You can find it here: Higson Studio Security Information | Higson.
Penetration testing simulates an attack from a malicious hacker to check for potential vulnerabilities to external hacking.
The goal of penetration testing is to assess your software’s security, safeguards, and controls by attempting to breach through your configured defenses.
By identifying threats and measuring the potential damage they could have to your software, developers are able to find ways to counter the vulnerabilities and prevent them from being exploited.
CT Defence performed the Web Application Security Assessment, which is designed to evaluate the scope, security, and resiliency of Higson’s environments. Understanding the existing vulnerabilities is the first step in remediating and ultimately enhancing Higson’s overall security maturity.
CT Defence assessed the risk that a real-life, targeted attacker poses to the security of Higson. They tested from both unauthenticated (anonymous) and authenticated angles.
Unauthenticated testing spots weaknesses that anyone with network connectivity to the Higson environment can exploit. On the other hand, authenticated testing identifies vulnerabilities in the functionality that is only available to authenticated users.
Since most software solutions offer the majority of their functionality to authenticated users, authenticated testing provides the best insight into the security of the application.
CT Defence follows a highly-structured methodology that uses a phased approach, consisting of information gathering, testing, verification, and notification.
List of Identified Vulnerabilities
CT Defense identified a few vulnerabilities that we immediately fixed during their penetration testing.
- Administrative account takeover through weak password policy.
- Webserver exhaustion with Slow HTTP connections.
- Client-side Remote Code Execution through Formula Injection.
- Weak password requirements.
- Malicious File Upload: Unrestricted Upload of File with dangerous type.
- Missing Session invalidation after Password Change by Administrator.
Another potential security risk that was flagged during the testing was the use of Vaadin, which is an old Java web framework for building web applications. However, Higson is doing a new studio design in Angular to make the app even more user-friendly and secure.
Once we made the necessary updates based on previously-identified findings, CT Defense confirmed that successful remediation had been performed.