Failed Pen Test Takes Critical App Offline

Failed Pen Test Takes Critical App Offline

THE SITUATION

A massive UK organisation performed a penetration test on a critical internet facing application. The 15 year old application manages crucial business processing, as well as both customer and partner interactions.

The pen-test reported severe bugs in both authorisation and data access authorisation (i.e. all data in memory could be viewed without logging in). Based on their multi-billion GBP global revenue the potential GDPR fine was in the hundreds of millions of GBP. Accordingly, the system was taken offline. The development team estimated at least 3 months to rewrite the application to address the stated issues, whilst the security team stated that these problems are purely in the application domain and no external security appliances address these problems.

Although true, the CISO knew of RedShield from his role at a previous company and so contacted us for assistance. 5 days later the application is brought back online following a clean pen-test. The pen-testers, development and security teams were “bewildered and amazed” at how fast we’d remediated such complex flaws, with zero code touch.

 

OUR SOLUTION

RedShield reviewed, analysed and replicated the penetration testing results and proposed solutions for ALL reported issues. For the authentication and authorisation bugs, application specific shields were customised to change the application behaviour as an external code module.

The shields were trialled for both effectiveness and compatibility. Being an in-path, proxy solution no code changes were required to implement these shields, and no activity was required by the customer teams other than DNS and firewall changes.

 

“We were in an untenable situation. The app being offline would cause huge business impact, the GDPR fines were too high to risk accept, and the application could not be quickly fixed.The fact that RedShield resolved these vulnerabilities, so quickly was a business life-saver! The team, and the pentesters were amazed and bewildered at what RedShield achieved.”

 

THE RESULT

With shields-up on the test site, the application was then re-pen-tested, cleanly. Migration to production occurred over the next few days, following a staged deployment of generic then specific shields with both compatibility and security testing. Once the testing results were satisfactory the maintenance page was removed and the app back online. As well as addressing the security bugs, RedShield added a privacy statement, cookie banner and session tracking (also required for GDPR) with zero code-touch. As a side bonus the application is now reportedly running quicker, and the reporting and monitoring of the application’s security and attacks is way beyond anything they’ve had before.

May 21, 2020