Client
The client is a US global management consulting firm aiming to help businesses and not-for-profit organizations with evaluating management decisions.
Business Challenge
The client wanted to implement the SOHA Systems’ service offering, SOHA Cloud, into their existing system and needed to perform a security assessment. SOHA Cloud enables enterprises to expose their internal applications, deployed in a data center (behind a firewall) or in a public cloud (inside a VPC), to end-users over the Internet without compromising security. SOHA Cloud integrates data path protection, identity access and application security, as well as management visibility and control, into a single service.
The main goals of the security assessment were the following:
- ensure that the SOHA Cloud couldn’t be compromised by its clients
- verify that SOHA did not expose client infrastructure and restricted applications to end users.
DataArt was chosen as a trusted development partner with strong system security experience. Penetration tests were carried out using a pure “black box” technique with no prior knowledge of the environment. SOHA created two paid test accounts and supplied DataArt with their administrative credentials.
Solution
In order to accurately evaluate the security of the SOHA Cloud, DataArt experts performed various tests utilizing industry accepted penetration testing methodologies. The testing consisted of the following phases:
- Information gathering: collecting publicly available information about the target platform in order to become familiar with the functionality and the placement of security controls
- Network scanning: scanning ports of the server-side environment and identifying network-level vulnerabilities using a combination of commercial and non-commercial scanning tools.
- Application and server assessment: identifying and confirming the exploitability of common application and server vulnerabilities, utilizing both automated and manual techniques. In addition, DataArt employed specific manual techniques for the agent deployed at customers’ data centers, using industry-accepted guidelines from the Open Web Application Security Project (OWASP).
- Reporting: compiling a report consisting of a non-technical executive summary and detailed technical sections with a prioritized list of findings and practical recommendations for remediation.
DataArt security team comprised security-testing guidelines based on:
- ISECOM's Open-Source Security Testing Methodology Manual (OSSTMM) methodology
- Open Web Application Security Project (OWASP)
