Pentest in the field of robot-assisted process automation
Germany Robotics Penetration testing ASP.NetWe tested an RPA software for a customer from Germany that now operates globally. The software is a complex platform based on ASP.Net, which consists of several sub-platforms that can be distributed individually or as a package. The complexity of the software and the large number of possible configurations made the test a particular challenge. As part of two penetration tests, several vulnerabilities - including two critical ones - were found and closed.
Throughout the penetration test (which was carried out on a demo environment), we communicated important findings directly with the technical teams via the “short” route via Slack, so that the production systems could be protected in parallel.
Pentest of a financial portal
Germany Finance Penetration testing JavaEvery year, we carry out a penetration test of a SaaS platform for a German medium-sized company. The platform is based on Java and is used by several thousand customers. Here, too, the actual penetration test always takes place in a test environment, so that DSecured never comes into contact with real customer data. Several serious vulnerabilities were identified during the first penetration test. Over the course of the cooperation, we were able to significantly reduce the number of vulnerabilities. The company now pursues an “on-demand” approach and uses our Pentest as a Service offering.
A small store system (WordPress WooCommerce) is connected to the platform itself, which is located on a separate server and was also tested by us. The test was carried out as a whitebox test. The SaaS platform was initially a black box test and developed into a grey box test over the years.
Monitoring the perimeter of a German car company
Germany Automotive industry eASMA German car manufacturer commissioned us to analyze the state of the external attack surface with the help of Argos. In a period of a few days, hundreds of vulnerabilities, misconfigurations and obvious security gaps were found in hundreds of domains and thousands of subdomains. The focus here was on serious and critical vulnerabilities. Above all, the company wanted to know what the status of Shadow IT was. DSecured did not receive any further information - apart from the name of the company - and had to proceed like a real attacker.
Argos external attack surface management plays a special role in this type of deployment, as it can provide the relevant data within a few hours. It then monitors the entire perimeter - the company quickly realized how important continuous monitoring is.
Red Teaming for an airline in the Middle East
Middle east Transportation Red Teaming eASMThis was probably one of the most exciting projects. We planned and carried out a red teaming assignment for a major client from the Middle East. This involved a team of 6 people. The focus was on externally accessible systems. In consultation with the customer, we were asked to try to access the internal network. The customer wanted to know whether it was possible to access the internal network from the outside and whether it was possible to access critical systems from there.
It turned out that this was not necessary in the first step - despite existing security measures, we were able to find critical vulnerabilities that allowed us to steal and modify passenger data. Access to the AD was possible via a complicated program that Argos eASM found. We were able to gain partial access to flight communication systems - fortunately read-only. The customer has significantly increased its investment in IT security!
Pentest as a service for a large publishing house
Brazil Publishing Penetration testingAs part of a longer collaboration, we were able to carry out penetration tests against the systems of a large publishing house over a period of several months. The publisher opted for our Pentest as a Service offering because it was important to the company that the tests could be carried out regularly and without great effort. With the help of Argos, we were able to quickly identify changes to the publisher's systems and react accordingly.
Every time a significant change was made to a system (API, website, IP, ...), we sat down as a team and tried (often successfully) to find a vulnerability. This showed how quickly attackers can react and how perfidiously even small vulnerabilities can be exploited. By working with DSecured, the publishing house has significantly improved its IT security and realized that annual penetration tests are no longer up to date and can give a false sense of security. It was particularly nice to work with the management, who were aware that IT security is a process and that they are trying to reduce risks.