Description
Client: Vistra
Category: Product Security
Date: 9 November 2022
Vistra is a service-based company with a functional reach at multiple locations across the globe. It helps businesses to improve through its fund administration and other corporate services. Vistra assists its clients to employ more people, expand into new markets, improve their productivity, and structure their businesses more efficiently. The company provides expert services in different domains including Governance, Risk & Compliance, Advisory & Transaction Support, Finance, Accounting & Administration, and other similar corporate activities.
Project Requirement
Vistra wanted a thorough scan of their web application.
- A comprehensive VAPT testing of their Web Application to find all security gaps.
- Exploiting the application vulnerabilities from a hacker’s perspective and giving recommendations on fixing security issues to protect sensitive data.
- An accurate evaluation of current security status and appropriate recommendations to level it up.
Strategies We Used
We split our team to take care of every requirement simultaneously and prepare a precise and comprehensive test report within a short time.
- OWASP Security testing, NIST, PTES, OSSTMM security guidelines, and other security testing standards were leveraged during the assessment.
- The RSK testing team uncovered all the hidden vulnerabilities within Vistra’s web application.
- We suggested appropriate action plans to close the security gaps. Also, our team developed a security roadmap to assist them to meet compliance and regulations.
Processes Involved
We did a thorough analysis of the web application from both ends.
- VAPT of the web application to determine its security resilience and uncover all vulnerabilities.
- Auditing of the application through professional scanners such as Nessus Professional, and Burp Suite Professional.
- All the obvious vulnerabilities were exploited by the RSK team to determine their impact.
- Preparing Security Audit Report (SAR) for the client to help them in implementing solutions.
- And obviously, the basic processes such as Pre-engagement Interactions, and threat modeling were also there in our scheme to VAPT.
Vulnerabilities Found
We uncovered 4 critical, 5 high, 13 medium, and 20 low-severity vulnerabilities. Major security issues we found were
- SQL Injection
- Privilege Escalation
- Session Mismanagement
- Cross-Origin Request Sharing
- Exposed XML Parser
- Insecure Deserialization
Mitigations and Remediations
Limit access control to minimum privileged functions required.
A specific policy for the documentation of handling errors
Results
Delivered the test report covering all found vulnerabilities and potential ways to fix them within the set deadline.
The tested application was not secured in a manner aligned with good practice. We assisted in simplifying internal and external security practices to fix it.
The client was successfully able to fortify its security posture after deploying the mitigation steps suggested by our VAPT services team.
Vistra’s web application and related business are now protected from security risks such as Data Loss, Financial Loss, Reputation Damage, and Loss of Client Trust
