Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

saas pentesting
Published:
September 4, 2023
Category:
SaaS
Organization:
Legartis

In our partnership with Legartis, speed and agility were at the forefront of our approach. Legartis, an award-winning SaaS company, entrusted us with conducting penetration testing of their solution, thereby helping them achieve their business goals.

Organization

Legartis is a LegalTech company that offers an innovative AI-based solution for contract review automation. It helps legal teams to accomplish their goals faster and with less risk, by simplifying complex legal processes and making them seamless and efficient. Legartis’s technology has earned numerous prestigious awards and is consistently advanced through partnerships with industry leaders.

Challenges

Legartis is a SaaS solution designed to streamline contract review through automation. This makes it critical to sustain repetition for Legartis from the cyber security perspective. Additionally, Legartis’ integration with Microsoft Word increases the attack surface for threat actors. 

Multiple dangerous scenarios could be possible when a malicious actor identifies appropriate vulnerabilities including:

  • Access other users’ and companies’ contracts
  • Access internal network assets of Legartis
  • Accessing or editing other companies’ playbooks, clauses, and users
  • Exploit authentication and access control with OAuth or JWT misconfiguration.

Process

  • The customer set up a dedicated testing environment that replicated the production website, API, and test users with correct privileges assigned to different test organizations. Also, the customer provided an MS Word plugin file to use the Legartis contract review function and connect to a dedicated test environment.
  • We verified that the testing environment was working correctly as expected by conducting a few functional tests and after that, we started the penetration test.
  • During the penetration test, the customer was very helpful and responsive to our ongoing needs and actions.
  • After the pentest was finished, the customer received a detailed report with discovered vulnerabilities, remediation actions, an executive summary, and more
  • Legartis fixed the vulnerabilities in a short time and requested a retest to confirm.
  • We confirmed that all vulnerabilities were fixed and sent the retest report to the customer confirming correct fixes with Proof of Concept screenshots.

For business reasons, the prompt delivery of penetration testing service was a critical consideration for Legartis. Therefore, we remained dedicated to providing it swiftly with flexibility and effective communication throughout the process.

Solution

  • A gray-box penetration testing approach, simulating the actions of semi-knowledgeable insiders, was determined to be the optimal strategy for the needs of Legartis. The penetration test was focused on the access control mechanisms and the API structure of the application. 
  • Having gained insights into the Legartis API and application mechanisms, we began the process of vulnerability discovery and exploitation.

Avoided damages

Breaking the availability for the user and harm the availability of functions

exact-location-zigrin-security
regression-testing-zigrin-security

Execution of malicious scripts and load unauthorized resources

Potential protocol downgrading

custom-rules-zigrin-security

Business results

Have you considered the potential of incorporating penetration testing services into your sales or PR strategy? If not, it’s worth noting that in this case, our services not only enhanced the security of the client’s solution but also the proof of pentest helped Legartis in closing a deal with their customer

As regular penetration testing can be a valuable asset in the portfolio of advantages for SaaS companies, assisting them in establishing a reputation as a trusted partner and fostering business development, it’s worth considering their inclusion in an effective business strategy. 

If you need more information about web application penetration testing, take a look here: https://zigrin.com/services/web-application-security-testing/

Summary

Legartis sought a cybersecurity partner to conduct comprehensive penetration tests on their API and web application, including the OWASP Top Ten vulnerabilities and multi-tenant security. Timely delivery was a top priority. As we delivered our services, we carefully considered the nuances of Legartis’s solution and its compatibility with Microsoft tools, ensuring punctual delivery. Throughout the penetration testing process, we maintained an open channel of communication with Legartis, responding to their needs and aligning with changes, keeping them well-informed all along. Following successful security tests that addressed all vulnerabilities, we produced a comprehensive pentest report. However, our client’s perspective offers the best summary of this collaboration:

Zigrin Security completed a successful retest of the API and web app, resulting in a closed deal. The team was responsive and flexible to the client’s requests. Virtual meetings ensured seamless project management. Zigrin Security was quick and agile
– Gordian Berger, CTO, Legartis Technology AG

Would you like to see how we can secure a similar application in your company?
Our expert will ask you about your application and see if we can help improve its security.

NEED A CONSULTATION?