• HOME
• COMPANY
  • About Aspect
  • Customers
  • Management
  • Careers
  • Contact Us
• SERVICES
  • About Aspect’s Services
  • Assurance Services
    for your application security verifications
  • Acceleration Services
    for your application security initiatives
  • Education and Training
• NEWS
  • Events
  • Press Releases
  • News
• RESOURCES
  • OWASP
  • White Papers
  • Case Studies

Case Study: ASP Security Code Review for Systems Integrator

Synopsis

Aspect reviewed the HR portal for a large systems integrator. We found a serious flaw in their global encryption module. In the process, we helped patch relations between the development team and the corporate information security team.

The Client and the Application

The client is a major systems integrator with many complex intranet applications. Given the sensitive nature of their business, they have an acute sensitivity to insider attacks. Their HR portal application consists of 500K lines of classic ASP code, and it handles all of their employees' sensitive information, including personal information, salary, benefits, and more.

Why Did They Come to Aspect?

This customer engaged Aspect to help with an aggressive application security initiative, including training, process enhancements, and technology selection. As a part of this process, Aspect was engaged to review critical applications.

How Did We Work With Them?

Aspect followed our standard application evaluation process that includes code review and penetration testing. As we identified security issues, we used our findings workbench to create detailed writeups. At the end of the review period, we produced the report and lead a discussion with the development team and information security. By discussing security issues in terms that both teams could understand, we were able to open some communication channels that had become closed over time.

What Did We Find?

We analyzed the code and found that their main encryption code used a stream cipher with a single key, instead of a block cipher like 3DES. This subtle flaw exposed all of the other secrets stored in the application. This flaw could not have been found with vulnerability scanning, penetration testing, or static analysis. However, an attacker with access to the code could have found and exploited the problem easily.

What Happened?

The development team made a simple change to their encryption module to use a block cipher that can safely be used to protect all of the application's secrets, thus avoiding a major data disclosure.