Password Manager Pro offers rock solid security, reveals penetration test by Seibert Media

It
goes without saying – software products operating in the IT Security
space should offer rock solid security. These products should be devoid of
holes and vulnerabilities; otherwise, they will prove to be haven for
hackers and malicious insiders.

With increasing security threats
to mission-critical network IT resources and serious legal consequences
of information mis-management, IT security products are required not
just to ensure extreme levels of security, but also demonstrate and reassure that
the products are indeed secure. One of the best ways to do this is to subject the product to a detailed evaluation by a professional, neutral, third-party
security specialist.

Password Manager Pro was subjected to the rigorous penetration test process by Seibert Media,
a leading professional agency to test the security aspects. The
product has passed the test and Seibert Media has certified that
Password Manager Pro is a secure software.

The penetration test concentrated on the following vital aspects:

  • Overall SSL/TLS configuration as well as the offered encryption methods and lengths
  • Checking for world-writable and world-readable critical files and folders.
    World-writable and world-readable files and folders can be a serious
    security issue. An attacker could add or modify files and by this
    compromise the security of the service and system or could access
    sensitive data with normal user privileges. It could also be possible
    that an attacker can access these files through another vulnerable
    service or system component
  • Checking database configuration, files.
    Assessing if the product securely stores the sensitive data,
    correctness of database configuration and and public or open database
    accounts.
  • Checking log files – Analyzing if the log files contain sensitive data such as usernames, passwords
  • Checking client plugins and addons – Analyzing the possible security issues due to client plugins and addons used in the product
  • File upload checks – File
    uploads are common in today’s web applications. These are often used to
    provide users with an option to attach various files in the application.
    Insufficient server-side checks can be a serious security issue, as an
    attacker could upload malicious files like HTML or Javascript or could
    place other files outside the application root.
  • Checking forgot password function
    – Checking if the forgot password function had been properly
    implemented and if it introduces any flaw in the authentication scheme
  • Checking cookie attributes
    – The use of session cookies is the most common method for storing
    authentication information for a defined period a session after
    successful authentication. It is therefor crucial that these are
    protected with correct HTTP flags.
  • Cross site request forgery (CSRF)
    – CSRF is an attack which forces an end user to execute unwanted
    actions on a web application in which he/she is currently authenticated.
    With a little help of social engineering (like sending a link via
    email/chat), an attacker may force the users of a web application to
    execute actions of the attacker’s choosing. A successful CSRF exploit
    can compromise end user data and operation in case of normal user. If
    the targeted end user is the administrator account, it can compromise
    the entire web application. This test checks such CSRF flaws in the
    application.
  • Cross-site scripting (Type 1 XSS – Reflected cross-site scripting and Type 2 – Persistent cross-site scripting)
    – Cross-site scripting (XSS) attacks occur when an attacker uses a web
    application to send malicious code, generally in the form of a browser
    side script, to a different end user. Reflected attacks are those where
    the injected code is reflected off the web server, such as in an error
    message, search result, or any other response that includes some or all
    of the input sent to the server as part of the request. Persistent
    attacks are those where the injected code is permanently stored on the
    target servers, such as in a database, in a message forum, visitor log,
    comment field, etc. In this test, the application was thoroughly checked
    for such stored script vulnerabilities to disclose erroneous or
    incomplete protection measurements.
  • Checking for old software versions and its known vulnerabilities. Old or non-patched software often is a serious security issue. Through
    a vulnerability, even an inexperienced attacker (‘script kiddie’) could
    gain root privileges or could harm the system in many any other ways,
    e.g. by executing a denial of service (DoS) attack, manipulate files and
    other
We are glad to announce that Password Manager Pro has passed all these
stringent tests. Seibert Media has certified that Password Manager Pro
is very secure.

Ensuring security is not a one-time process, but an ongoing activity. We
understand this fact and have taken all steps to ensure security always
and at all levels.

Bala




ManageEngine Password Manager Pro

Quick Video

|

Free Trial Download

|

White Papers

|

Success Stories

You Can Learn More About the ManageEngine Product Line By Going to www.ManageEngine.ca

The original article/video can be found at Password Manager Pro offers rock solid security, reveals penetration test by Seibert Media

About the Author: Shannon Lewis

Leave a Reply Cancel reply