ITGLOBAL.COM Performed Penetration Test to Improve Digital Attitude Security

Digital Attitude is an Italian virtual training developer, offering a habit-inspiring platform: a tool that helps to form new soft skills in corporate software usage. The key project of Digital Attitude is a virtual trainer for Microsoft Office 365 users. It teaches customers a variety of skills.

The habit-inspiring concept is based on the nudge theory of Richard Thaler, the 2017 Nobel Prize winner in (behavioral) Economics. Digital Attitude itself is a "golden partner" of Microsoft, winner of the Digital Transformation Champ Awards 2020. The company's clientele includes oil production, banking, insurance and healthcare.

Caring for protection

Both Digital Attitude network and operations are designed with high security level in mind. As per Denis Sumin, full stack developer and IS specialist of Digital Attitude, "Every customer has the ID only. We store no emails, or names, or IP addresses - everything is almost anonymous. Yet we permanently care that even these IDs wouldn't leak anywhere."

The habit-inspiring platform is also protected. No developer has access to the production version of habit-inspiring, so an independent production deployment is impossible: it deploys automatically via a specific AWS account. Every commit is digitally signed; the forgery is, again, impossible. Each pull request is verified by at least two developers, so the harmful code insertion requires the cahoots of at least three individuals.

"We have everything firmly set inside. But the outer area is beyond our control, so we decided for the penetration test to strengthen the network security," concluded Denis Sumin.

The test & the tester

Black Box pentest model presumes that the intruders have no knowledge of the company and its systems - so only attacks on public resources, starting from the external IP addresses and public URLs, are imitated. Pentest also scrutinizes mail, terminal and file servers, as well as the other web services that revealed an access upon scanning.

ITGLOBAL.COM with the headquarters in Saint-Petersburg, Russia was chosen by Digital Attitude after thorough consideration. In particular, none of the candidates from the West was able to denote any timeline for pentest preparations and initial procedure. At first Digital Attitude did not consider a Russian company, but ITGLOBAL.COM appeared to suit all the requirements of the Italian developer.

The outcome: problem positively solved

The penetration test had shown the single medium level vulnerability at Digital Attitude, the Cross-Site Scripting. Imitating the attack, ITGLOBAL.COM testers managed to insert into the page their script that was executed on the customer's side. The vulnerability was immediately patched via Content Security Policy; as of now the scripts at Digital Attitude are signed with the additional certificate. As per Alexander Zubikov, ITGLOBAL.COM IS Head, "Even the vulnerabilities of medium-scale can lead to large issues. An intruder can obtain the client's version of habit-inspiring - and get access to a customer's computer. Or alter the original content of Digital Attitude, thus undermining the trust to the company. Or simply steal customer's cookies - with well-known aftermaths."



Categories: Information Technology

Tags: Cyber Security, Pentest, Security Audit

Additional Links


View Website

Claymont, DE 19703
United States