With increasing security threats to mission-critical network IT resources and serious legal consequences of information mis-management, IT security products are required not just to ensure extreme levels of security, but also demonstrate and reassure that the products are indeed secure. One of the best ways to do this is to subject the product to a detailed evaluation by a professional, neutral, third-party security specialist.
Password Manager Pro was subjected to the rigorous penetration test process by Seibert Media, a leading professional agency to test the security aspects. The product has passed the test and Seibert Media has certified that Password Manager Pro is a secure software.
The penetration test concentrated on the following vital aspects:
- Overall SSL/TLS configuration as well as the offered encryption methods and lengths
- Checking for world-writable and world-readable critical files and folders. World-writable and world-readable files and folders can be a serious security issue. An attacker could add or modify files and by this compromise the security of the service and system or could access sensitive data with normal user privileges. It could also be possible that an attacker can access these files through another vulnerable service or system component
- Checking database configuration, files. Assessing if the product securely stores the sensitive data, correctness of database configuration and and public or open database accounts.
- Checking log files – Analyzing if the log files contain sensitive data such as usernames, passwords
- Checking client plugins and addons – Analyzing the possible security issues due to client plugins and addons used in the product
- Checking forgot password function – Checking if the forgot password function had been properly implemented and if it introduces any flaw in the authentication scheme
- Checking cookie attributes – The use of session cookies is the most common method for storing authentication information for a defined period a session after successful authentication. It is therefor crucial that these are protected with correct HTTP flags.
- Cross site request forgery (CSRF) – CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker’s choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, it can compromise the entire web application. This test checks such CSRF flaws in the application.
- Cross-site scripting (Type 1 XSS – Reflected cross-site scripting and Type 2 – Persistent cross-site scripting) – Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Reflected attacks are those where the injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Persistent attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. In this test, the application was thoroughly checked for such stored script vulnerabilities to disclose erroneous or incomplete protection measurements.
- Checking for old software versions and its known vulnerabilities. Old or non-patched software often is a serious security issue. Through a vulnerability, even an inexperienced attacker (‘script kiddie’) could gain root privileges or could harm the system in many any other ways, e.g. by executing a denial of service (DoS) attack, manipulate files and other
Ensuring security is not a one-time process, but an ongoing activity. We understand this fact and have taken all steps to ensure security always and at all levels.