top of page

Bryt Software Penetration Testing

Overview

Bryt Software does an annual web application penetration test.  We contract with a third-party security consultant for this service.  The testing is usually performed in March (depending on availability of the consultant).

 

Bryt performs the penetration test for 3 different web applications/services:

  • Primary Application – the website used by our customers to manage their customer and lending data.

pentest.jpg
  • Portals – the websites that our customers use to give their borrowers and lenders visibility to their specific data about their accounts.

  • API – the API allows customers to import/export data from the Bryt database without using the Bryt web application.

Bryt creates a separate mitigation plan for each website (above).

 

The Bryt mitigation plan focuses on Confirmed Vulnerabilities for each website and findings that are categorized as Urgent, Critical, Serious, or Medium.  Findings classified as Minimal or Informational are reviewed, but not added to the mitigation plan unless there is a vulnerability associated with the finding.

Scope of Testing

The objective of this test is to identify and report on security issues or flaws.  Our security consultant tests the use of security controls used by Bryt to secure sensitive data. Our security consultant attempts to compromise and infiltrate the system by using the following methodologies.

 

Web Application penetration test against target URLs external network using the OWASP Top 10 framework.

  • Application layer penetration test against target URL with 2 testing accounts, admin and non admin.

  • Application scan for SQL injection vulnerabilities.

  • Application scan for cross-site scripting (XSS) vulnerabilities.

  • Application scan with advanced crawling capabilities for technologies such as REST, JSON, AJAX, and SOAP.

  • Automated brute force password credential testing.

  • Follow OWASP Top 10 guidelines for testing to verify security implemented.

API penetration test against target URL external network using the OWASP API Top 10 framework.

  • Test for broken object level authorization which can lead to unauthorized access.

  • Test for broken user authentication by compromising authentication tokens.

  • Scan for excessive data exposure by looking for data that may come back that should not be expected.

  • Other tests include security misconfiguration and injections such as SQL and XSS

  • Follow OWASP Top 10 guidelines for testing to verify security implemented.

 

Additional Information

Please contact your Bryt Representative if you have any questions or would like copies of our Executive Summaries and/or Mitigation Plans.

bottom of page