What did this security assessment look like?
Group-IB performed the security assessment of our web app. We asked their specialists to conduct a comprehensive independent vulnerability testing and security assessment of OSOM's web application and our existing defense mechanisms.
So, Group-IB's experts' mission was as follows::
The detection of vulnerabilities in the web application environment
The detection and confirmation of vulnerabilities in the web application
Attempts to exploit the vulnerabilities detected
The classification of detected vulnerabilities and assessment of their risk level
The development of expert recommendations on eliminating detected vulnerabilities
In our case this time, the security assessment was carried out using the grey box method: we provided the security team with two accounts and they had a test card issued for making payments. This is opposed to "black box" attacks where nothing is given to the "attackers" and "white box'' attacks, where the entire source code of the app is given to the attackers. This "grey box" is what corresponds most to reality for us.
We then received a report for each step that contained descriptions of all identified vulnerabilities, attack vectors, and operation methods, as well as recommendations on how to mitigate the vulnerabilities and flaws found.
What did the report say?
Overall, we were very good, and funds are Safu!* Only 9 flaws were detected, over half of which were "low" and 0 were critical!
The most serious vulnerability - ranked "high", allowed to attempt to withdraw euros prepayment balance multiple times by meddling with the front-end. While it did not necessarily lead to an outsized withdrawal (as we have other procedural checks and balances in place), we changed the withdrawal request logic so as to make it impossible.
Because of the way we handle crypto wallets, there was 0 chance of anything happening to your crypto.
The vulnerabilities in the lowest risk categories - because they are either very unlikely to happen or would have very little impact - were about making sure users have a strong password, improving brute-force protections, letting you more securely change password and close active sessions remotely and the possibility of depositing less than the minimums to Autopilot or DeFi earn if calling on the APIs directly.
Ultimately, Group-IB experts provided recommendations on how to eliminate the identified flaws of our web application. The OSOM team then got to work immediately and fixed it all up to improve our security chops. It's now tip-top and we are looking forward to conducting a new security testing when we launch the next major feature to our web application.
This is not our only security measure!
Just in case you were wondering, the web application security testing exercises are not the only tool in our security toolkit.
When it comes to managing assets, we have several layers of security, from operational to technical.
In addition, we have a continuous bug bounty program with HackerOne where we try to make it more rewarding for hackers to report to us the vulnerabilities they've found than to try and exploit them. To date we have happily paid out a couple of bounties, but never for anything platform-critical.
Since social engineering is an enormous threat vector - some would argue it's the biggest - we also conduct regular security trainings and awareness sessions with both our engineers and business teams. From fake invoices to fake crypto transactions requests to team members (badly) impersonating our CEO, we have seen a lot. And thus far, we have held strong.
And with that you have a pretty good overview of how safu"*" your funds are. If you have any questions - about security or anything else - don't hesitate to reach out to [email protected]
"*" Never heard of safu? It was a misspelling in a twitter post by the CEO of a Crypto Exchange after a hack to say that funds were "safe" and it has been enshrined by CZ, the CEO of Binance, to mean that there is a "Secure Asset Fund for Users" that can act as an insurance fund against the hack. It's the "colloquial" way for exchanges and custodians to let everyone know that everything's fine.