Penetration tests by SySS GmbH
For over 15 years, SySS GmbH has been focusing on software penetration testing (pentests), as well as maintaining the maximum security of IT infrastructures in companies of any industry and size. The security specialists from Tubingen now serve over 20 of the DAX30 corporations across the industry. State institutions (Ministry of the Interior, German Armed Forces, Deutsche Flugsicherung (German air navigation services organisation), …) also rely on the expertise of SySS GmbH. Professional cooperation with the market leader in several iterations has set the course for closing and continuously avoiding potential security loopholes.
Pentest of version 8.3.0
Due to the huge increase in the functional scope since the last pentest, version 8.3.0 was subjected to a new test. The text was passed with flying colours.
Components of the pentest
Amongst other things, the following scenarios were tested during the test:
- Simulation of client-side attacks of different types
- Intensive source code review
- Qualitative assessment of all cryptographic methods
Test conditions
SySS GmbH had full access to the source code and to the database server at all times to ensure complete and granular execution of the tests.
Summary of the test
Sebastian Schreiber, the Managing Director of SySS GmbH, attested to the successfully conducted test. Here is an excerpt:
*During the course of the security test, it was not possible for SySS GmbH to access protected password information and documents from third party users of the Password Safe 8 software application using unauthorised measures, neither from the perspective of a user with login data nor from the perspective of an external attacker without login data. In the view of SySS GmbH, the processes used for
authentication, authorisation and encryption provide effective protection for the sensitive data saved within the application.
*According to the findings from SySS GmbH, an attacker (…) is not able to directly access login passwords in plain text or unencrypted RSA key material
about users.
*The fact that access to the private RSA key in plain text is only possible after prior entry of the correct password and that this authentication information is thus introduced to the Password Safe application externally by one person as part of the user login process was considered very positive by SySS GmbH. Even in the event of various different weaknesses, an attacker is not immediately able as a result to access encrypted data such as passwords or documents.
!In terms of the encryption process used in the system, SySS GmbH could not identify any weaknesses as part of the completed security test.
Overall, SySS GmbH rates the security level of the tested software version of the Password Safe 8 application as “very good”.