A problem of Authentication
Our client’s cloud-native stack put an emphasis on heavy-duty data processing, and was built on a microservices architecture on Google Cloud Platform (GCP), orchestrated by Kubernetes.
Since the app had to pull in a lot of data from the ERP and supply chain systems, we45’s assessment focused on uncovering flaws that would allow for unauthorised access to data, or the manipulation of data in transit.
This was where our client saw their most serious security vulnerabilities, including unrestricted file uploads by users and lower-privilege users being able to access datasets they weren’t authorised for. Naturally, this wasn’t good for data confidentiality.
The company’s engineers worked quickly. By using randomly generated values to identify datasets in the backend, they remediated the vulnerabilities we’d identified, patching up the most critical ones first.