InvestorsHub Logo
Boards
News
Market Data
Markets
Discover
Discover
Subscribe Login/Register
S&P 500
5,464.62
(
-0.16%
)
US TECH 100
19,220.00
(
-0.20%
)
Dow Jones
39,150.33
(
0.04%
)
Brent Oil
84.39
(
0.00%
)
Bitcoin
64,363.60
(
0.18%
)

Replies to post #79245 on Data443 Risk Mitigation Inc (ATDS)

Replies to #79245 on Data443 Risk Mitigation Inc (ATDS)

stockvaper

02/06/19 11:08 AM

#79247 RE: Tjainlv #79245

TJ, I think this may be helpful in explaining the measures taken to add to security to Araloc to make the "unlawful" attempts at breaches much tougher and less often.

DATA443
ARALOC Software Security
Q 1: Has a security assessment been performed on the ARALOC Management Console and Database?
A: Yes. A comprehensive security assessment was conducted by independent consultants. These consultants were/are employed with firms such as RSA, Mandiant, Booz Allen Hamilton, and Verizon Business. These consultants hold numerous security certifications including, but not limited to, GIAC Penetration Tester (GPEN), Security+, Certified Ethical Hacker(CEH), and GIAC Web Application Penetration Tester (GWAPT).

Q 2: What was the scope of the security assessment?
A: The consultants conducted:

» Configuration reviews of hosting servers

» Configuration reviews of network appliances

» Vulnerability scans of Hosting Server OS

» Web Interface tests.

» Checks for OWASP top 10 issues and others, including Code Injection, Privilege escalation, and horizontal account movement.

» Tests of ARALOC Apps – traffic capture, code review, decompile and process analysis.

Q 3: What was the result of the security assessment?
A: The assessment discovered three issues that were remediated as described below.

» Host OS Vulnerability – Remediated due to move to managed servers located in the Microsoft Azure Cloud.

» A limited number of user input points on the Management Console were identified as vulnerable to injection. Remediated.

» ARALOC Java Based App – possible content exposure between decrypting and viewing process. Remediated.

Q 4: What methodologies does Data443 use to ensure the security of its mobile applications?
A: ARALOC manages users, content, security keys and permissions on the ARALOC Management console. Without first knowing a user’s name and password, it is impossible to download a key and decrypt protected content. All communication between the server and the client are encrypted, and cannot be read via a proxy.

On mobile devices, we provide several features to provide the highest levels of security:

» The ability to never store keys locally, always requiring internet authentication.

» All user information is encrypted locally using ARALOC technology.

» Not utilizing or clearing caches as needed.

https://www.data443.com/araloc-faq/