Client: National Research Institute

3000 tested subpages, 5 000 000 source code lines

Customer’s challenge

Public institutions, such as the Information Processing Center National Research Institute, cannot afford data leaks. For this reason, the center entrusted us with conducting a cybersecurity audit of five of its systems, including a database of defended theses, a directory of Polish academics and a platform for free online courses. These systems work together to store vital Polish scientific and personal data – the organization needed to be sure they were properly secured.

The process

For each of the systems, we performed separate penetration tests along with simulated attacks on the system and the network using the black box method (without knowledge of source codes or application configuration) and identify vulnerabilities in the security system. We used automated and manual audit methods to test systems against various classes of vulnerabilities, such as SQL Injection, XML Injection, XSS (Cross Site Scripting), CSRF (Cross Site Request Forgery), Code Execution, Insecure Communications, Source Disclosure, Path Traversal, DoS (Denial of Service), File Inclusion, web server SSL security, Broken Authentication and Session Management, Authorization Bypass, Information Leakage, Deserialization of untrusted data. In addition, we conducted an analysis of authentication methods and of external devices. We used the latest OWASP vulnerability list to determine the types of attacks..

The results

As a result of the audit, we discovered vulnerabilities in the audited ICT systems, networks and the IT environment in which they operate. We conducted a security assessment of ICT system resources. We provided the client with a comprehensive report summarizing the audit and suggesting solutions to improve the security level of their systems, on the basis of which the security culture in the organization is still being developed.