During the second half of April, the iSHARE Scheme Owner has been tested on security risks and vulnerabilities by Secura BV, commissioned by VASC. On 2 May 2019, the report, detailing the IT security assessment has been received by the iSHARE team. In short, no ‘high’ or ‘critical’ risks were found. As with all proper penetration tests, some risks were found and work has started to fix these risks.
Methodology
VASC has commissioned Secura BV to assess the IT security of the iSHARE Scheme Owner. This investigation started on 17 April 2019. This report was written directly after analysis of the results.
The security assessment used a methodology derived from OWASP, ISSAF and OSSTMM, and tested among others on the OWASP top 10 of serious web application vulnerabilities: injections, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring.
Results
During the investigation 7 risks have been identified of which 1 identified as a medium risk (with low likelihood). For a complete list of all risks we refer to the full report, which the iSHARE Team can discuss in more detail on request.
These are the number of risks per class:
Investigation
The API present in the production environment was partially investigated within the time-box available for the investigation. Reason for this is the absence of valid certificates for generating valid JWT tokens that are used for authenticating to the endpoints in the production environment. After discussing these limitations with the team present at iSHARE, the choice was made to prioritise the investigation on the production environment and use the test environment as a fallback.
Next to this, Secura was asked to investigate whether they were able to get unauthorised access to the admin area of the iSHARE Participant Management. This investigation was performed in the production environment. After testing, they concluded that they were not able to obtain unauthorised access to the admin area. nor could they perform administrative actions on behalf of an administrative user.
Next to this Secura found one risk classified as ‘medium’ and three risks classified as ‘low’ on the iSHARE Scheme Owner. The details of these risks are not shared here for security reasons, but upon request will be discussed with participants to assure that iSHARE is safe to use and can be fully trusted.
Conclusion
The iSHARE team concludes that the investigation assures that the Scheme Owner is secure for all intents and purposes and has started work on resolving the risks reported. This ensures that all known risks are fixed within a short timeframe.