otris legal SUITE passes security test

What is a pentest?
A pen­et­ra­tion test (pentest) sim­u­lates tar­geted hacker attacks on a hard­ware or soft­ware system to uncover vul­ner­ab­il­it­ies, identi­fy errors and in­crease se­cur­ity stand­ards at both the tech­nic­al and or­gan­isa­tion­al level. It also serves to have the ex­ist­ing se­cur­ity level con­firmed by an in­de­pend­ent third party.

What was tested?
As part of the pentest, Trovent Se­cur­ity ex­amined both the spe­cial­ist solu­tions and the in­fra­struc­ture of the otris cloud. A central focus of the ex­am­in­a­tion of the otris cloud in­fra­struc­ture was on the iden­ti­fic­a­tion of open network ports and mis­con­fig­ur­a­tions. The ‘OWASP Top 10’ served as the most im­port­ant basis for the ex­am­in­a­tion of the otris legal SUITE.

OWASP Top 10
The ‘OWASP Top 10’ is a com­pil­a­tion of the ten most crit­ic­al web ap­plic­a­tion se­cur­ity risks for web ap­plic­a­tions from the Open Web Ap­plic­a­tion Se­cur­ity Project. The news version of the doc­u­ment lists the fol­low­ing po­ten­tial points of attack:

• In­jec­tions: This vul­ner­ab­il­ity occurs when un­trus­ted data is pro­cessed by an ap­plic­a­tion, which can lead to un­wanted com­mands or ma­nip­u­la­tion of the data­base.
• Au­then­tic­a­tion fail­ures: Weak­nesses in au­then­tic­a­tion can allow at­tack­ers to im­per­son­ate other users, even ad­min­is­trat­ors.
• Loss of sens­it­ive data con­fid­en­ti­al­ity: In­suf­fi­cient pro­tec­tion of sens­it­ive data can allow at­tack­ers to access private in­form­a­tion such as per­son­al or fin­an­cial data.
• XML Ex­tern­al En­tit­ies: This vul­ner­ab­il­ity occurs when ex­tern­al en­tit­ies are used in XML doc­u­ments, which can lead to the dis­clos­ure of sens­it­ive data, denial-of-service attacks or even remote code ex­e­cu­tion.
• Access control flaws: Flawed access control im­ple­ment­a­tions allow at­tack­ers to access re­sources or func­tions for which they have no au­thor­isa­tion.
• Se­cur­ity-related mis­con­fig­ur­a­tions: In­sec­ure con­fig­ur­a­tions in servers, ap­plic­a­tions, data­bases or net­works, in­clud­ing unused pages, non-secure default ac­counts or out­dated soft­ware, can be ex­ploited by at­tack­ers.
• Cross-site script­ing (XSS): This vul­ner­ab­il­ity allows at­tack­ers to inject ma­li­cious code (e.g. JavaS­cript) into other users’ web pages, which can lead to the theft of session cookies, ma­nip­u­la­tion of web pages or phish­ing attacks.
• In­sec­ure deseri­al­isa­tion: In­sec­ure deseri­al­isa­tion allows an at­tack­er to inject ma­nip­u­lated objects into an ap­plic­a­tion to execute ar­bit­rary code, crash ap­plic­a­tions or perform other ma­li­cious actions.
• Use of com­pon­ents with known vul­ner­ab­il­it­ies: The use of lib­rar­ies, frame­works or other soft­ware com­pon­ents with known se­cur­ity vul­ner­ab­il­it­ies can lead to vul­ner­ab­il­it­ies in the entire ap­plic­a­tion.
• In­suf­fi­cient logging and mon­it­or­ing: a lack of logging and mon­it­or­ing can mean that attacks are not de­tec­ted or pre­ven­ted in time, en­abling at­tack­ers to remain un­detec­ted for longer.

How was the test carried out?
Trovent Se­cur­ity carried out both auto­mated and manual tests. The auto­mated tests use pro­grams that attack the system with known attack vectors. For the manual tests, the se­cur­ity experts put them­selves in the shoes of po­ten­tial at­tack­ers and used their ex­pert­ise to try to pen­et­rate the system. The iden­ti­fied attack vectors were eval­u­ated from a tech­nic­al point of view and ac­cord­ing to their prob­ab­il­ity of oc­cur­rence.

Result
The audit of the otris cloud in­fra­struc­ture and the otris legal SUITE did not reveal any vul­ner­ab­il­it­ies that would pose a crit­ic­al or high risk. The test showed ‘no re­main­ing sig­ni­fic­ant se­cur­ity vul­ner­ab­il­it­ies’.