Penetration testing report builds customer trust
Snapshot
Endpoint management companies have an undeniable need for strong product security. While pursuing (and maintaining) business with several high-profile clients, a developer of autonomous endpoint management solutions needed to demonstrate rapid and thorough resolution of any potential security issues.
The company engaged Kalles Group to evaluate the security of their product with penetration testing (“pen testing” for short) and provide a detailed report. After the initial testing, which led to multiple product improvements, Kalles Group provided a retest report. This proof of issue identification and timely, through remediation gave the company a valuable tool for building customer trust and led to an ongoing testing partnership with Kalles Group.
Challenge
Demonstrating product security strength from multiple perspectives
The term “endpoint management” refers to the process of actively supervising, authenticating, and updating the access rights of various endpoint devices used by an organization’s personnel to access a network. Systems designed to facilitate and automate this process have extremely high expectations for product security.
To bolster the confidence of current and prospective customers, the company needed a comprehensive penetration test and report to make it clear that their security posture — essentially, the company’s ability to foresee, prevent, and respond to rapidly evolving cyber threats — was exemplary. Product security needed to be evaluated from a variety of perspectives, including:
- Endpoints running the client
- Configuration manager server services and applications
- Various supporting cloud infrastructure components
- Relay servers
Approach
No stone left unturned: A thorough cycle of testing, remediation, and retesting
Starting in February 2022, Kalles Group conducted pen testing against a lab-based deployment of the company’s endpoint content distribution solution and its Edge platform. The first testing cycle involved the following phases:
- Open-source enumeration. The tester began by searching the public internet, including code repositories, certification transparency logs, and DNS records in an attempt to uncover information that could be leveraged to compromise the company or its product.
- Understanding the client. While logged into a laptop running the client as an unprivileged user, the tester leveraged a proxy server to capture and understand the traffic sent between the client and the configuration manager server as well as the cloud relay.
- Testing the cloud relay and CDN. The tester used web-based penetration testing techniques against the content delivery network (CDN) endpoint, mirroring the content uploaded via the configuration manager server and the Cloud relay server.
- Authenticated testing against the application. The tester authenticated to the web interface of the application and the “Workbench” native application. Various test accounts and roles were created to test permissions boundaries.
- Manual review of the application source code. Given that the web application ships with the client-side source code accessible on the server, the tester reviewed this code and looked for hardcoded secrets and other potentially sensitive data.
After the first test, the endpoint management company used Kalles Group’s detailed recommendations for remediation to apply more robust cloud security standards and modify its architecture in terms of point-to-point communications. The only major finding, which was given a “medium” severity rating, was a privilege escalation vulnerability that allowed authenticated “read-only” administrative users to modify certain settings and gain write permissions. Since the attacker would already need some degree of access to the platform to exploit this vulnerability, the overall risk was low.
Kalles Group worked with the endpoint management team to brainstorm ways to resolve the privilege escalation issue and other issues that were deemed minor severity. As soon as all proposed solutions were in place, Kalles Group conducted a retest (in April 2022) and verified that all gaps in need of remediation were resolved. The testing team noted that the company’s response to all identified issues was swift and thorough.
Results
A strong selling asset and a long-term testing relationship
The retest report has become a strong component of the company’s sales strategy, since it demonstrates the company’s commitment to quick action on security vulnerabilities. Considering how often they use the report in dealings with customers, the company intends to work with Kalles Group on an annual basis to keep it fresh. In fact, the company invited Kalles Group back in March 2023 to perform a retest with an expanded scope.
In the words of the company’s Senior Director of Information Security, “We hired Kalles Group for our yearly third-party penetration test. The experience was very positive, and they provided a great report with all the needed information. Being able to have a thorough look at our Application and Cloud security allows us to report our status to our clients and assure them we are taking a proactive approach to cybersecurity. Wonderful experience working with the team at the Kalles Group!”
It should be noted that multiple pen tests were performed on the endpoint management product by other third parties and clients, and none of these have yielded any new findings in the areas already tested by the KG team. This further strengthened the company’s confidence in Kalles Group as a pen testing partner. Going forward, Kalles Group will be testing the company’s new products on a rolling basis to provide a high level of security assurance to end customers.