As Vsevolod Salnikov (EisphorIA CTO) notes it: “Security by default is when you pass unforeseen audits” and this is what we have done over the last few weeks.
More specifically, we organized a "penetration test" or “pentest” which is an unforeseen simulated cyberattack performed by a third-party specialist in order to evaluate the security of our platform and to identify potential vulnerabilities as well as strengths .
The attacks have been targeting one of our live platforms: the Enron case which comprises more than half of a million documents (available in open source).
The penetration test focused on the identification of potential access-control issues, both from an unauthenticated and authenticated perspective.
It is important to say that those security tests are not easy to pass without any identified issues...and therefore we are extremely happy with the outcome:
"Overall, the security posture of EisphorIA platform was found to be very good”.
Beyond the positive results, the security audit is also an opportunity to stay on top of current best-practices.
How did we get there?
Concretely, deep testing has been processed in the following areas: Configuration and Deployment, Authentication and identity management, Authorization, Session management, Input validation and Client-side.
All the tests have been conducted by a third party specialist in a real-life situation and included many activities. Among other:
A brute force attack is a trial-and-error method used to decode sensitive data. The most common applications for brute force attacks are cracking passwords and cracking encryption keys. Other common targets for brute force attacks are API keys and SSH logins. Brute force password attacks are often carried out by scripts or bots that target a website’s login page.
HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. The business impact is that an attacker suitably positioned on the same network as the victim could potentially make her connect to the application using insecure HTTP and sniff the traffic to obtain information or the victim’s authentication token.
Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website.
After many other security checks, we can conclude that our platform has been extensively challenged and nothing has been compromised.
Security is an ‘always on’ battle and we will keep running these audits on a regular basis and make every necessary effort to ensure we stay best-in-class.