ViHAT saved 500% on security costs with CyStack Web Security

By taking advantage of the effectiveness of advanced technology at an economical cost, CyStack has helped ViHat comprehensively solve its network security issues through CyStack Web Security (CWS).

Our client, ViHAT company is one of the leading Marketing technology companies in Vietnam specializing in providing software, applications, and mobile solutions for individual and business customers. Operating since 2013, ViHAT has cooperated with more than 5,000 businesses in many fields, helping to improve Marketing strategies, enhance brand image, and achieve breakthrough growth in revenue.

ViHAT's outstanding products include:

• TeraApp - mobile sales application creation platform
• eSMS - solution for sending SMS messages
• ZNS - solution for sending Zalo messages
• OMICall - IP-based calling solution.

In today's complex technology landscape, personal data has become a commodity that is constantly sought after by many hackers due to its unbelievable value. With more than 2 million visits per year and a large number of SMS messages and calls made every month around the world, ViHAT was soon aware of the importance of securing customer’s information and data.

ViHAT required a solution that reduced expenses and improved efficiency while fully complying with rigorous security protocols. Therefore, CyStack team took the initiative to recommend our Vulnerability Assessment offering, which leverages the CyStack Web Security scanning apparatus to identify system weaknesses.

Test object: Web application.

The two targets required to be scanned in this project are:

• eSMS website about ViHAT's Marketing program system for businesses via SMS
• Website provides APIs for SMS.

Implementation time: August 18, 2023 - August 21, 2023.

Key features of the solution include:

• Scan sub-domains and addresses in the internal network
• Detect vulnerabilities using fuzzing techniques and CyStack's vulnerability database
• Monitor and warn of new problems automatically and continuously, helping to identify and handle new problems as soon as they appear
• Manage, monitor, prioritize, and remediate findings on a dedicated platform, helping to optimize response and ensure security system continuity
• Integrate scanning with CI/CD tools and performance improvement tools.

CyStack uses Asset Monitoring to help improve system security by continuously exploiting sub-domains, IP addresses in the same network range and warning about exposed files, vulnerabilities, or configuration errors. Asset Monitoring includes 3 basic steps as follows:

Through this process, businesses proactively monitor incidents, data exposure risks and prevent Subdomain Takeover attacks, ensuring the safety of their systems and preventing potential security breaches.

Our working process includes the following steps:

Step 1: Initial engagement

CyStack discussed with ViHAT to understand more about the needs, scope, and goals of customer projects.

Step 2: Project planning

Based on ViHAT's specific requirements, CyStack built a specific plan for the security-assessed project, including the methodology and tools used.

Step 3: Assessment

Proceeded with the CWS installation, performed the security assessment as outlined in the plan, and documented all findings during the scan.

Step 4: Real-time report

Vulnerabilities found were immediately proactively reported to ViHAT customers through CyStack's vulnerability management system.

Step 5: Patching

Customers patched found vulnerabilities according to recommendations from CyStack.

Step 6: Final report

CyStack prepared a complete report to ViHAT including overview information and discovered details.

Step 7: Follow-up

CyStack continued to monitor and communicate with ViHAT to ensure all issues have been completely resolved. At the same time, we advised on solutions to improve safety for all targets that were required to be scanned.

• Steps 3,4,5 repeated until all test cases were completed.

CyStack Web Security (CWS) is an automated vulnerability scanning and monitoring tool for web applications developed by CyStack. CWS is built to simulate and automate the vulnerability assessment process by focusing on the following aspects:

• Identify vulnerabilities: CWS automatically scans for potential vulnerabilities in web applications and servers.
• Vulnerability prioritization: CWS helps businesses prioritize vulnerabilities based on their severity and potential impact. The Common Vulnerability Scoring System (CVSS) is a comprehensive tool that aids in making this assessment. CVSS is determined based on a variety of factors, such as the vulnerability's exploitability, the vulnerability's impact on the system, and the business's ability to fix it. CVSS is calculated on a scale of 1 to 10.
• Monitoring for new vulnerabilities: CWS continuously scans and detects vulnerabilities, providing alerts as soon as new vulnerabilities are discovered. This helps businesses stay informed and proactively address security risks.
• Progress tracking: CWS helps businesses track their vulnerability management process over time, helping businesses maintain a certain level of progress in minimizing the risk of cyber attacks.

CWS supports target scanning with 2 levels: Quick Scan and Deep Scan.

• Quick Scan: CWS supports scanning for security vulnerabilities for websites according to the list of OWASP Top 10 errors, configuration errors and known errors (CVE). This helps businesses prevent the possibility of hackers attacking their website or web application from important data incidents or hijacking.
• Deep Scan: CWS uses other in-depth methods to examine each part of the system more deeply, including:

CWS provides a full range of API calls to start the process of scanning for security vulnerabilities as soon as there is a new commit on Git, by sending a request to the API. Results will be returned in a few minutes, helping programmers detect errors and fix them before deploying or putting the application into operation. By integrating vulnerability scanning into the development and deployment process, businesses can ensure that their applications comply with industry standards and security best recommendations.

Start experiencing CWS now: https://web.cystack.net/

This solution not only meets the requirements of ViHAT customers for a detailed security report but also saves costs 5 times compared to conventional Penetration Testing solutions, along with Quick deployment time. After only 3 working days, a complete report was exported by CyStack and sent to ViHAT.

Using the CWS tool, the 2 scanned targets recorded a total of 122 security vulnerabilities, including 9 critical, 23 medium, 38 low, and 64 info.

Leveraging a comprehensive understanding of ViHAT's specifications and objectives, CyStack took the initiative to recommend our Vulnerability Assessment service to align with the client's accelerated schedule.

Throughout the engagement, CyStack upheld consistent communication and progress oversight. This enabled our team to calibrate and swiftly respond to any shifts, ensuring each milestone was accomplished within the established timeline and outcomes fulfilled ViHAT’s initial requirements.

Upon completing the website examination, we furnish clients with an exhaustive forensic report detailing prescriptive remediation guidance for any identified system vulnerabilities. This empirical evaluation equips customers to accurately appraise their current security posture and deploy appropriate controls to uplift protections.

CyStack is a cybersecurity company based in Vietnam since 2017. We offer comprehensive solutions, including testing, security consulting, and managed services. With over 200 businesses and 25,000 users around the world, we are recognized as a trusted partner for organizations and a strong leading firm in cybersecurity research and development.

For more information, please visit: https://cystack.net/