[Confidential]

The flagship in the area of consumer goods distribution.

Security audit for the distribution company

The client is the largest in its field and region and is a distribution company with logistics and warehouse systems that meet the international standards and is able to deliver goods as quickly as possible to the consumer. The company's regional network covers the whole Russian Federation and consists of over 40 branches under several regional offices.

The client did have a program designed for ordering goods by retailers, and installed in tens of thousands retail shops. At one point it was reported that the company's competitors hacked into the software in order to collect the confidential information about its pricing policy. Having that information their competitors were able to offer their products cheaper and causing material damage to the client up to several hundred thousands daily.

The client approached our team in 2009, aiming to identify the possible leaks and prevent the further damage. Before that the information security audit of the program had been conducted a few times and the system was considered as highly secure. However, "Tecman" revealed new vulnerabilities and possibilities of hacking. We found 6 more ways of hacking into their system.

Testing within the "black box" approach without knowing the product's inner mechanisms) revealed four vulnerabilities. The client was very surprised to get such results and required a confirmation. To prove it we implemented one of the identified scenarios and provided to the client the database collected from the program with information about goods and their value. After getting access to the program's code we identified two more vulnerabilities. The result of our work was the documentation with detailed explanation of all the identified problems and the ways to eliminate them.

Testing took 6 weeks and another 2 weeks were spent on drafting the documentation and 2 weeks more for establishing the terms of reference for fixing the identified vulnerabilities and was completed by a team of 3 people: a project manager, a specialist in information security and technical writer.

Branch: Logistic ,Provision of services Technology: PHP Solution: Information Security Audit Platform: Web
01.09.2009

Address in Yaroslavl: Pobedy 38/27, Suite 503, Yaroslavl, 150040
Address in Moscow: Derbenevskaia n. 1/2, Moscow, 115114
  1. Name
    Неверный Ввод
  2. Telephone
    Неверный Ввод
  1. Name:
    Неверный Ввод
  2. e-mail:
    Неверный Ввод
  3. Telephone:
    Неверный Ввод
  4. Message:
    Неверный Ввод