Nixu Corporation (www.nixu.com) is one of the world's leading security specialist companies and has been focused on information security since its foundation in 1988. Since then it has worked with numerous banks, telecommunications firms and governments around the world to help them address and improve their approach to cybersecurity.
Nixu carried out a project to assess the security of the Crowd Valley API and Back Office platforms, which was done by attacking the Crowd Valley API and the administrative applications from the point of view of a motivated attacker trying to obtain unauthorized access to Crowd Valley’s customers’ data and functionality.
The API was tested for general compliance with the OWASP Application Security Verification Standard requirement categories: Authentication, Session Management, Access Control, Malicious Input Handling, Error Handling and Logging, Data Protection, Communications Security, HTTP Security, Business Logic, and File and Resource Validation.
Following the process Crowd Valley customers can now benefit from the following functional updates that have been implemented and are already available on sandbox and live environments:
- Two-Factor Authentication for all Back Office Admin Users using the Google Authenticator application
- Global User Password Rules that enforce a consistent password policy across all end-user applications
- Automated restrictions on Admin Users who attempt to login with an incorrect password more than 5 times within a short time period
- Implementation of a stricter Content Security Policy and additional Cross Site Request Forgery protections in the Back Office to prevent phishing or similar attacks that would leverage an Admin User’s existing permissions
For more information on how you can make the most of these security features in your own applications please get in touch with your primary Crowd Valley contact.