20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1.  

The core questions being: 
  1. Can non-authorized people or services access Workspaces or affect anDREa’s core services? 
  2. Can to a Workspace authorized people ‘break-out’ to Workspaces or to the core services of anDREa? 

nSEC/Resilience conducted from February 8th till 10th the White Box Audit. Per agreement. The Pentest was conducted from February 15th till 17th, the report was received on February 24th. The White Box Security Audit was received on March 1st.  

Pentest report dated 2021-02-24

The Pentest report gives the impression that the performed tests were deliberate and target rather than performing random scans and print results. The vulnerability checks were performed using best practices from framework such as OWASP Top 10 and Sans 25. 

Overall conclusion 

  1. Workspaces cannot directly access or otherwise affect core services  
  2. Workspaces cannot directly access or otherwise affect other workspaces  
  3. Workspace members can mess with their own workspace to some degree (i.e. through using Azure portal to make changes). Some findings suggest that workspace members can do a reconnaissance, but not actual exploitation.   

Findings 

  1. There is 1 finding with high severity and 4 findings with medium severity.  
  2. The high severity finding is about usage of Azure portal by researchers. 
    1. The role Researcher can perform some basic actions on resources of their Workspace via portal.azure.com that they are allowed to but in this way their actions are not auditable.  
  3. Most of the medium severity findings result in reconnaissance without possibility for exploitation. 

Action Plan 

  1. Block access to the identified high risky action by the end of Sprint 3 (March 16th) 
  2. Remediate the medium severity findings by Sprint 5 (April 27th) 

Feedback on the CIA/BIV-classification dated 2021-03-01

Feedback on the CIA/BIV-classification document (email: 20210301@15:25)

The CIA / BIV Classification document appears as a solid and substantiated CIA rating. The suggestions is to substantiate the document with external references, to tables such as on the ISACA site.

Action Plan

  1. Improve the CIA / BIV Classification document based on ISACE before December 2021.

White Box Security Audit dated 2021-03-01

Overall conclusion

  1. The technical design / architecture is well thought-out and documented. A lot of thought has been given to network design and separation of components. This has also translated into a strong setup for authorizations. 
  2. The logging and monitoring setup, assuming all items currently on the roadmap will be implemented on short term, is more than adequate.

Findings

  1. One major finding:
    1. Peering and NSG rules allow for transparent communication between workspaces. This is currently already being picked up to be fixed. The high severity finding is about usage of Azure portal by researchers.
  2. Minor finding:
    1. The detailed ACL matrix could be improved by including an overview of which administrative users have the documented roles.

Action Plan

  1. Peering and NSG rules improvements will be remedied by the end of Sprint 3 (March 16th)
  2. The detailed ACL matrix will be considered. 


    • Related Articles

    • 20220713 Report Azure White Box Security Audit

      Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...
    • 20220607 Security Management Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.
    • 20220624 Pentest 2022-Q2/Q3 Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDREa's 20220624 Pentest 2022-Q2/Q3 Report. TLDR: none of the findings have any risk ...
    • 20220714 Security Management Report Addendum

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...
    • 20230503 - Security Management Report

      anDREa's Security Officer annually provides the management board with the Security Management Report. An annual security management report is a key part of this auditing process. The report provides a summary of the organization's ISMS activities, ...