Penetration Testing & Security Code Reviews
A U.S based investment firm was in the process of performing due diligence with a famous financial exchange platform based on Zug, Switzerland as part of their acquirement process. The investment firm was interested in acquiring the financial organization as a whole as well as all of their intellectual property which included a trustless asset exchange, mobile applications for asset management, and the infrastructure on top of which it is built.
Before committing to acquiring and enabling a multi-million dollar investment, the Sentry team developed a baseline for assesing the security of the asset exchange on a technical level.
Are Applications and all of their components built with security in mind?
- If yes, do said Applications and all of their components include the security features that have been claimed?
- If yes, do these security features align with industry standards and best practices?
- If not, are there any known vulnerabilities or perceived dangers to the said Applications and all of their components?
Are Applications and all of their components following security practices, both technical and procedural set by credible and expert sources?
- If yes, are said Applications and all of their components thoroughly tested and/or peer-reviewed by external credible and expert sources?
- If yes, have said Applications and all of their components been evaluated positively by external credible and expert sources?
- If not, are there any issues that would compromise the solutions provided by said Applications and all of their components?
Do Applications and all of their components require additional investments regarding security?
- If yes, do these investments extend beyond the organization’s resources (eg. External Experts, Investing in New Technologies, Enhancing or expanding the current technical/non-technical team?
- If yes, are these investments realistic from a technical security standpoint?
- If not, is there anything that can be utilized/salvaged from existing security implementations in providing added value to current/other business opportunities.
For this due diligence step, the U.S Investment firm has asked Sentry to step in and evaluate the potential investment from a security perspective.
In order to provide satisfactory insights on the following inquiries, we have performed the following:
- A general/technical report containing a thorough security analysis of the solution architecture in a live production-grade environment.
- A general/technical report containing a thorough security analysis of all supporting technologies implemented in the environment.
- A general/technical report illustrating the results of Dynamic Tests for identifying security vulnerabilities, validating security controls, testing security functionality, and identifying mitigation or improvement strategies.
- An in-depth/technical report outlining expert peer-reviewed observations, both objective and subjective, specifically aimed at core functionalities – In this case: Cryptography, Programming/Code, Cyber/Information security.
- An in-depth/technical analysis of emerging security threats in the foreseeable future that may compromise the solution offered by the project, and/or concept flaws that are apparent in the present.
All of the analysis performed by Sentry helped the U.S investor gain clarity in what exactly they were acquiring from a security perspective. Our reports illustrated that while all of the critical security components were built with security in mind, not enough testing and peer reviewed analysis has been done in order to assume that the system is safe to use and production ready.
Many of the components had best security practices implemented in them, however critical vulnerabilities have been identified residing within the codebase of some of the most crucial components. Furthermore, there have been novel security mechanisms introduced that have not been thoroughly tested or implemented in the industry. Although the algorithms have been innovative and efficient and could be developed as a product on their own, it was found out that they did not belong to the financial exchange, and would be excluded from the IP acquirement – something that was not disclosed prior to testing and security code reviews.
Our findings have been a game changer for our client – giving Sentry the experience of contributing into making a sound multi-million dollar decision. Sentry has protected US investor from an investment with a multitude of hidden costs regarding security and has helped point out contractual flaws that could have undermined the future of the investment.