Funds are Safu*! A look at our security in 2021

Read about our latest web application security testing exercise and some of our security measures

We think transparency is important, so we wanted to share what can be shared of our recent web application security testing exercise with you all. We cannot disclose the entire report as it contains sensitive details about the architecture of our service - and there is no reason to tempt the devil; but we can show what was done and what the general outcomes were.

For those who don't know, a security assessment of the web application exercise is a detailed analysis of how secure web applications are as well as their resilience to attacks that aim to steal confidential information, cause system failures, and penetrate a company's local infrastructure. We have conducted similar tests in the past but never got around to publishing the results, busy to ship as we were.

But as questions around security and the measures we are taking to protect your assets are increasingly being asked by the people joining us daily, we thought we would take a pause and offer as transparent an update as we can on the recent web app security tests we conducted.

The exercise was conducted by Group-IB this time. They are a Singapore-headquartered threat hunting and adversary-centric cyber intelligence company that specializes in investigating and preventing hi-tech cybercrimes. They are an official partner of Interpol and Europol.

Group-IB security assessments are conducted by a team of highly specialized experts with over 10 years of experience analyzing infrastructures and applications. Group-IB's experts hold more than 40 globally recognized certifications, including CREST CRT, CREST CPSA, OSCP, OSWE, CEH, CISA, GDPR DPP, PCI QSA, and more.

It was the first time that we asked the Group-IB team to test our web application. We think that it's good to switch things around to get as many eyes on the system as possible, and previous security tests had been conducted by other cybersecurity vendors.

What did this security assessment look like?

Group-IB performed the security assessment of our web app. We asked their specialists to conduct a comprehensive independent vulnerability testing and security assessment of OSOM's web application and our existing defense mechanisms.

So, Group-IB's experts' mission was as follows::

  • The detection of vulnerabilities in the web application environment

  • The detection and confirmation of vulnerabilities in the web application

  • Attempts to exploit the vulnerabilities detected

  • The classification of detected vulnerabilities and assessment of their risk level

  • The development of expert recommendations on eliminating detected vulnerabilities

In our case this time, the security assessment was carried out using the grey box method: we provided the security team with two accounts and they had a test card issued for making payments. This is opposed to "black box" attacks where nothing is given to the "attackers" and "white box'' attacks, where the entire source code of the app is given to the attackers. This "grey box" is what corresponds most to reality for us.

We then received a report for each step that contained descriptions of all identified vulnerabilities, attack vectors, and operation methods, as well as recommendations on how to mitigate the vulnerabilities and flaws found.

What did the report say?

Overall, we were very good, and funds are Safu!* Only 9 flaws were detected, over half of which were "low" and 0 were critical!

The most serious vulnerability - ranked "high", allowed to attempt to withdraw euros prepayment balance multiple times by meddling with the front-end. While it did not necessarily lead to an outsized withdrawal (as we have other procedural checks and balances in place), we changed the withdrawal request logic so as to make it impossible.

Because of the way we handle crypto wallets, there was 0 chance of anything happening to your crypto.

The vulnerabilities in the lowest risk categories - because they are either very unlikely to happen or would have very little impact - were about making sure users have a strong password, improving brute-force protections, letting you more securely change password and close active sessions remotely and the possibility of depositing less than the minimums to Autopilot or DeFi earn if calling on the APIs directly.

Ultimately, Group-IB experts provided recommendations on how to eliminate the identified flaws of our web application. The OSOM team then got to work immediately and fixed it all up to improve our security chops. It's now tip-top and we are looking forward to conducting a new security testing when we launch the next major feature to our web application.

This is not our only security measure!

Just in case you were wondering, the web application security testing exercises are not the only tool in our security toolkit.

When it comes to managing assets, we have several layers of security, from operational to technical.

In addition, we have a continuous bug bounty program with HackerOne where we try to make it more rewarding for hackers to report to us the vulnerabilities they've found than to try and exploit them. To date we have happily paid out a couple of bounties, but never for anything platform-critical.

Since social engineering is an enormous threat vector - some would argue it's the biggest - we also conduct regular security trainings and awareness sessions with both our engineers and business teams. From fake invoices to fake crypto transactions requests to team members (badly) impersonating our CEO, we have seen a lot. And thus far, we have held strong.

And with that you have a pretty good overview of how safu"*" your funds are. If you have any questions - about security or anything else - don't hesitate to reach out to [email protected]

"*" Never heard of safu? It was a misspelling in a twitter post by the CEO of a Crypto Exchange after a hack to say that funds were "safe" and it has been enshrined by CZ, the CEO of Binance, to mean that there is a "Secure Asset Fund for Users" that can act as an insurance fund against the hack. It's the "colloquial" way for exchanges and custodians to let everyone know that everything's fine.

For more insights on our cooperation with GroupIB around security this year, take a look below