Cyber threats don’t wait, and neither should your security strategy. Organizations across Singapore are facing growing regulatory demands and increasingly sophisticated cyber risks. The best defense? A proactive approach that uncovers vulnerabilities before attackers do.

That’s why we’re excited to announce that HackerOne is now officially licensed to provide penetration testing services in Singapore. With this new certification from the Cybersecurity Services Regulation Office, we can now bring our modern, scalable Pentest as a Service (PTaaS) solution to businesses across the region—helping you strengthen security, meet compliance requirements, and stay ahead of cyber threats.

Unlike traditional pentesting providers, we don’t just hand you a static report and walk away. Our agile, expert-driven approach gives you real-time collaboration, faster results, and deeper insights—so you can turn security gaps into strengths before attackers exploit them.

Ready to rethink penetration testing? Here’s what this means for you.

Why This Matters for Organizations in Singapore

Cybersecurity threats are increasing in complexity, and regulatory requirements are becoming stricter. Organizations in Singapore—particularly those handling sensitive data—should conduct penetration testing in line with laws, standards, and frameworks like:

• Monetary Authority of Singapore (MAS) TRM Guidelines
• Personal Data Protection Act (PDPA)
• PCI DSS
• NIST Cybersecurity Framework
• Cybersecurity Act of Singapore
• ISO 27001, SOC 2, and other international security standards

With our newly-approved penetration testing services, businesses can now proactively identify vulnerabilities, strengthen security postures, and align with local and global regulations.

Modern, Scalable Pentesting for APAC

HackerOne’s Pentest as a Service (PTaaS) model modernizes the traditional penetration testing process, offering a faster, more flexible, and outcome-driven approach. Instead of rigid, slow-moving engagements, our platform allows you to:

• Launch pentests in days, not weeks
• Access a vetted global community of security experts with deep industry knowledge
• Collaborate in real-time to address findings and strengthen security
• Meet compliance mandates while focusing on meaningful risk reduction

Unlike traditional consultancy-based pentests, HackerOne PTaaS integrates seamlessly into your security workflow, ensuring continuous security improvement rather than a one-time report.

What Sets HackerOne’s Pentesting Apart?

HackerOne delivers elite penetration testing services backed by industry-leading expertise and technology. Our approach is designed for speed, accuracy, and business-aligned security outcomes.

• Speed: Start your pentest in 4-7 business days
• Vetted Experts: 75% of our testers have 5+ years of experience
• High-Impact Results: 19% of findings are critical or high severity, twice the industry average
• AI-Powered Insights: Our AI Copilot (Hai) helps interpret complex reports and suggests remediation steps
• Seamless Integrations: Works with Jira, GitHub, ServiceNow, Slack, and more for streamlined remediation

With a licensed and highly specialized security testing team, HackerOne ensures that your organization stays ahead of attackers, meets compliance requirements, and builds a more resilient security posture.

Next Steps: How to Get Started

Now that HackerOne is a licensed penetration testing provider in Singapore, organizations in the region can start securing their systems with our expert-led pentesting services.

Interested in pentesting? Contact us today to discuss your security needs.
Want to learn more? Explore our Pentest Solution Brief for detailed insights into our methodology and coverage areas. 

Testing Methodologies

HackerOne’s Microsoft Azure testing methodologies are grounded in the principles of the PTES, CIS Microsoft Azure Benchmarks, and the Azure Well-Architected Framework Pillar. Additionally, our testing processes adhere to the standards required for CREST certification/accreditation, ensuring comprehensive and reliable assessments across various cloud environments, including Microsoft Azure. Organizations can now better protect against risk and attacks with highly skilled experts with specialized, proven expertise in vulnerabilities specific to the products and services in your Azure cloud environment.

Common Vulnerabilities

Microsoft Azure operates with a Shared Responsibility Model that outlines the division of security responsibilities between Microsoft and its customers. The division of areas of responsibility vary based on the deployment type: Software as a Service (SaaS), Platform as a Service (Paas), and Infrastructure as a Service (IaaS). Though, with any deployment, customers are responsible for the security of their data, devices, and accounts. With the vast number of potential combinations of Azure services and their configurations, it can be easy to overlook vulnerabilities that can arise from misconfigurations.

Entra ID Misconfigurations

Entra ID, (formally known as Azure Active Directory) is the Identity and Access Management (IAM) service for Microsoft’s cloud environments. Users in Entra ID can be both internal and external to your organization. If audits are not regularly performed, guest credentials could exist past their time of necessity, which is a possible entry point for compromise. Furthermore, additional IAM misconfigurations can occur.

Outside of the cloud, local Active Directory (AD) runs on servers known as Domain Controllers (DC). Each DC contains a list of entities that are authorized to access network resources. In order to authenticate, users use the Kerberos or NTLM protocols.

Your self-hosted AD can be synchronized to this cloud variant using Entra Connect Sync. This on-premise and cloud combination is referred to as a hybrid. If your organization uses a hybrid authentication model using the pass-through or federated methods, any publicly exposed passwords are reported but only if the password hash synchronization feature is explicitly enabled.

Multi-factor authentication (MFA) must also be enabled, as the default configuration settings do not enforce it. This should be applied to the Service Management API and all user accounts.

Additionally, there are two group types within Entra ID: Security and M365. The creation of these groups should be restricted to administrators only. By creating groups, you can organize users within your cloud environment by department and give them access to shared resources. By default when an M365 group is created, it is set to public. This public state can lead to users sharing sensitive information with a wider audience than intended. It is vital to secure connected IAM systems in both Azure and on premise systems to prevent attackers from exploiting a misconfiguration to pivot from one IAM system to the other. Security is only as strong as the weakest link.

Microsoft RBAC Misconfigurations

Managing who has access to Azure resources, what actions can be taken against them, and what areas of the cloud can be accessed is achieved through Role Based Access Control (RBAC). By assigning a role to a user, user group, or service – fine-grained access control measures can be implemented. Role assignments consist of three elements: a security principle, role definition, and scope. The security principle identifies the entity that a collection of permissions referred to as a role definition applies to. Once a role definition is assigned to a security principle, a scope can be applied that defines the resources and services that are allowed to be accessed.

While several built-in roles are provided, misconfigurations can arise when creating custom roles. For example, the use of wildcard characters (*) grants access to all available actions that can be executed on a resource. In the absence of supplied NotActions that explicitly specify actions that cannot be performed, wildcard characters can lead to unauthorized access to sensitive data and functionality.

Virtual Network Misconfigurations

Virtual Networks provide the means to partition hosts belonging to your organization through subnetting. To ensure members of your organization only have access to the portions of the network that are required to perform their duties, network security groups with stringent rules need to be implemented. The creation of these groups should be restricted to administrators only.

Misconfigurations in security group rules can lead to unauthorized access to hosts and services. The rules are built using multiple parameters, including: the originating source, destination source, protocol, traffic direction, port or port range, and priority level. Even if rules are established, the vast number of possible combinations of these parameters can lead to access oversight.

Additionally, rules are processed in a set priority order. As soon as traffic matches a priority level, processing stops. This means the intended rule may not be enforced if its priority ranking is misconfigured.

Modifications of rules or the complete removal of them only apply to subsequent connections. Any existing connections are not reevaluated. This can also lead to unauthorized access if users who do not meet the updated criteria had prior access to the resource. Misconfigurations in routing tables and forced tunneling settings can also lead to unapproved network access. Attackers can exploit these misconfigurations to access any Azure resource on that network segment.

App Service Misconfigurations

Azure App Service is a Platform-as-a-Service (PaaS) for building, deploying, and scaling web applications and APIs.

Authentication to this service is disabled by default on new web applications, allowing anonymous access. Once enabled, this feature enforces authentication on all HTTP requests before they reach the application code. Because anonymous access by default is insecure, additional configuration hardening is required.

Azure Function Apps default to public access but can be restricted to Azure Virtual Networks (VNets) for enhanced security. Unless absolutely necessary, public access should be limited using private endpoints to prevent unauthorized access. Functions should use access keys and not be configured using accounts with administrative privileges. It is vital to restrict and harden access in accordance with the Principle of Least Privilege.

Azure Web Apps support both HTTP and HTTPS protocols, with HTTP access being allowed by default. All traffic should be redirected to use the secure variant of the protocol to provide secure encrypted communication.

Advisor Misconfigurations

The Azure Advisor service provides detailed, actionable recommendations that can improve the security of your organization’s cloud environment. By default, all recommendations are enabled. However, with the appropriate permission levels, configurations can be made in order to exclude recommendations based on subscriptions or resources. Recommendations can also be postponed or dismissed on a single resource. If recommendations are dismissed, they will not be seen again unless manually reactivated. Forgotten recommendations that were dismissed or disabled entirely can lead to a lack of awareness regarding critical security issues, leaving your environment vulnerable to exploitation.

Activity Log Misconfigurations

Microsoft’s Azure Monitor collects and aggregates data from every area and resource across your Azure environment. The Activity Log maintains an audit trail of activity events taken within the environment that is crucial for threat monitoring and incident response processes. It is vital to ensure that alerts for critical events such as “Delete PostgreSQL Database” are enabled to provide immediate awareness of significant changes to your environment. 

Virtual Machine Misconfigurations

Virtual Machines (VMs) are scalable computing resources provided by Microsoft that allows users to run applications and workloads in the Azure cloud.

Misconfigured rules such as “install approved extensions only” and  “enable automatic OS upgrades” can lead to vulnerabilities. Since extensions run with administrator privileges, the use of vulnerable extensions can result in privilege escalation and remote execution attacks. Also, outdated operating systems can contain known vulnerabilities just awaiting exploitation. Additionally, VMs should be configured to use managed disk volumes encrypted with a managed key. This also applies to unattached disks in the subscription.

Blob Storage Misconfigurations

Microsoft Azure offers various different storage services. The Blob Storage service is able to hold massive amounts of unstructured data such as text and binary data in a network of remote servers. By default, any files uploaded to the cloud are set to private. However, improper access configurations can lead to unauthorized access to sensitive data.

In Azure, unique namespaces for your data are known as storage accounts. Within these accounts, blob files are organized in containers, similar to how files are stored in directories. Each blob can be accessed via a URL that all share the same format of: https://[storage-account].blob.core.windows.net/[container-name]/[blob-name]

Since the storage account name is the only dynamic part of the URL, any containers that are unintentionally set to the “Public read access for container and its blobs” access level, can be easily enumerated and their contents can be read.

A dictionary attack would not be very effective in enumerating file names unless they were generically named. However, a List Blobs API call can be issued, that is a GET request to https://[storage-account].blob.core.windows.net/[container-name]?restype=container&comp=list to enumerate the blobs in a publicly accessible container. If these containers were supposed to be protected, this can lead to unauthorized access to critical data.

Additionally, vulnerabilities can arise in the absence of the “enable immutable blob storage” rule, which allows users to store critical data in a state that disables the modification and deletion of data for a specified amount of time.

Azure Database Service Misconfigurations

Azure offers a number of different database options for data storage in the cloud. Encryption both at rest as well as in transit is vital to ensuring sensitive data is not accessed or intercepted by unauthorized third parties. Robust auditing and logging measures are also a critical aspect to allow your organization to quickly identify and respond to potential data theft.

As a best practice, separate accounts should be used for database access. This limits the potential threat an account could pose in the event it is compromised. The principle of least privilege and a zero trust security model should be foundations when addressing who has access to your organization's database services. By taking a defense-in-depth approach in regard to database security, you can iteratively harden against data breaches through the use of firewalls at differing levels, access management policies, encryption, regular auditing, and threat detection tooling.

Azure Key Vault Misconfigurations

The secure storage and accessibility of secrets within your Azure environment can be accomplished using Azure Key Vault.

Proper key vault-specific RBAC implementations and the delineation of key vaults are vital to limiting secret access to only those who have the required permission levels and need to access them. Any user accounts that do meet these requirements should have MFA enabled as their privileged roles pose a greater risk to an organization should they be compromised. Data could be permanently lost if a threat actor were to gain access to one of these accounts in the absence of soft-delete and purge protection configurations.

Automatic key rotation should be enabled in your organization's key policy. This rotation type will automatically renew a key at configured intervals which mitigates against access to secrets by members who may have had their access revoked or no longer belong to your organization.

Key vaults should be configured to only allow connections through private endpoints. Misconfigurations can increase your organization's attack surface by facing the vaults publicly. Additionally, it is crucial to enable logging on key vaults in order to assess for suspicious access and activate response processes.

Azure Defender Misconfigurations

Defender is a cloud-native application protection platform (CNAPP) that provides a suite of security measures and practices. Designed to improve your organization's security posture, Defender assists in identifying vulnerabilities across your entire attack surface.

Defender should be enabled for all of your organization's resources and services, including those on-premise as well as on different cloud providers. This security tool is able to provide a comprehensive level of hardening to your assets, but only if it is aware of them to begin with. Defender will provide security recommendations in order to remediate security gaps that it identifies. For example, Defender will alert you of any software updates that should be applied to virtual machines. Misconfigured exemptions to handle these suggestions can result in assets being left in a vulnerable state.

Azure Configuration Review Best Practices

Careful Scoping

Having the right scope is crucial to a successful pentest—what is being tested can be just as important as how it is being tested. An Azure environment can be vast, with various resources and services distributed throughout.

By strategically selecting targets within your cloud environment, you can ensure quality time is dedicated to your most critical cloud assets. This curation can mean the difference between an inconsequential configuration review and a valuable review that discovers high-impact vulnerabilities. HackerOne assesses your assets to provide guidance on which ones to include and delivers a quote tailored to your specific requirements.

Skills-Based Tester Matching

Traditional consultancies often rely on in-house pentesters with general skills. However, Azure pentesting requires specialized knowledge of the environment and cloud security practices.

With HackerOne Pentest, delivered via a Pentest as a Service (PTaaS) model, customers gain access to a diverse pool of elite, vetted security researchers who bring a wide range of skills, certifications, and experience specific to Microsoft Azure. The HackerOne platform keeps track of each researcher's skill set based on their track record and matches the most suitable researchers for each engagement. The community-driven PTaaS approach delivers comprehensive coverage, versatility, and the highest-quality results tailored to the services of your Azure environments.

Case Study: Microsoft’s Own Misconfiguration

In October of 2022, Microsoft confirmed that an Azure Blob Storage that contained 2.4 terabytes of sensitive data was left exposed due to a misconfiguration. Over 300,000 emails, 133,000 projects, and the information of 548,000 users belonging to 65,000 companies were publicly accessible. Included in this data were items such as invoices, intellectual property, and internal comments. 

The misconfigured bucket was maintained and owned by Microsoft themselves and the company only became aware of the issue after being notified of the vulnerability by threat intelligence provider SOCRadar. After receiving the notification, the technology giant resolved the issue by reconfiguring the storage bucket to a private state. Although there was no indication of unauthorized access, it was just a matter of luck that threat actors did not notice and access this misconfigured bucket first.

Why HackerOne PTaaS Is the Best Option for Azure Cloud Review

By choosing HackerOne as your partner in pentesting, your organization can fully benefit from the community-driven pentest-as-a-service (PTaaS) model that provides unmatched expertise and resources for Azure Security Configuration pentests. The HackerOne platform streamlines the entire pentest process to deliver the greatest return on investment in risk reduction.

By leveraging the people and the technology, your organization gains the following advantages:

• Comprehensive Azure Security Configuration Reviews: Access pentesters with deep expertise in auditing and improving Azure cloud configurations to secure your cloud infrastructure against vulnerabilities.
• Efficient Program Initiation: Experience rapid program setup with direct communication channels to testers, ensuring on-demand delivery of findings.
• Streamlined Pentest Management: Utilize the HackerOne Platform for pentest management, including a bi-directional Azure DevOps integration to align development and security teams, reducing manual back-and-forth communication. The result is a streamlined security vulnerability remediation workflow.
• Extended Attack Surface Coverage: Our diverse community of security researchers excels in uncovering misconfigurations and vulnerabilities unique to Azure environments, enabling comprehensive security audits without the need to switch vendors.

Contact the HackerOne team today to get started!

As organizations turn to cloud solutions to address their information technology (IT) needs, environments such as Microsoft Azure become highly attractive targets for cybercriminals seeking to exploit various configuration vulnerabilities. To safeguard Azure environments, HackerOne offers a methodology-driven penetration testing solution delivered via a Pentest as a Service (PTaaS) model. This approach connects organizations with a heavily vetted cohort of a global ethical hacker community for comprehensive, end-to-end pentesting. Frequently performing dedicated pentesting, using a community-driven PTaaS is crucial to finding vulnerabilities in your Azure resource configurations.

This blog will break down the NIS2 Directive drawing information from the original directive briefing published by the European Parliament and explain how organizations can prepare for compliance, including the pivotal role of penetration testing (pentesting) and how HackerOne can assist with these efforts.

NIS2 Directive

The NIS2 Directive aims to enhance the security of network and information systems within the EU by requiring operators of essential and important services to implement adequate security measures and report cybersecurity incidents. It applies to organizations across a wide range of sectors, from critical infrastructure like energy and transport to key digital providers and public services.

Key updates in NIS2:

• Broader Scope: NIS2 expands the range of sectors under its purview, including digital infrastructure, healthcare, telecom, social media, and public administration, recognizing that these industries are increasingly susceptible to cyber threats.
• Risk Management Obligations: Organizations must now have comprehensive risk management and cybersecurity measures, including business continuity plans, incident response procedures, and supply chain security). The proposal includes a list of key elements that all companies must address or implement as part of the measures they take, including incident response, supply chain security, encryption, and vulnerability disclosure programs (VDPs).
• Enhanced Incident Reporting: Under NIS2, incident reporting requirements have become stricter. Entities must notify authorities within 24 hours of becoming aware of an incident​.

NIS2 introduces more stringent oversight for essential entities—those where a cyber event could cause significant disruption. These include sectors like energy, banking, health, and water. Important entities, such as digital service providers, are also held to high standards but face limited scrutiny unless they experience a cybersecurity incident.

NIS2 Obligations

Under NIS2, organizations must comply with strengthened cybersecurity requirements that include:

• Incident handling and crisis management
• Vulnerability handling and disclosure
• Risk assessment and management policies
• Business continuity and disaster recovery plans
• Incident response strategies
• Supply chain security protocols
• Encryption and cryptography measures
• Cybersecurity training and basic hygiene practices
• Human resource security, access control policies, and asset management

Regular testing and auditing of security systems are also critical to NIS2 compliance, highlighting the importance of penetration testing as a method for ensuring cybersecurity defenses are effective.

Difference Between NIS2 and DORA

Although both NIS2 and DORA (Digital Operational Resilience Act) are aimed at improving cybersecurity, they target slightly different areas and industries.

• NIS2 focuses on enhancing cybersecurity across a broad range of sectors, including critical infrastructure, healthcare, energy, and digital service providers. It emphasizes a risk-based approach, requiring organizations to develop and implement security measures, manage risks, and ensure business continuity.
• DORA, on the other hand, is specifically designed for the financial sector, ensuring the digital operational resilience of financial entities, including banks, insurers, and investment firms. It focuses more on financial stability in the face of cyber threats.

The key difference lies in the scope: while NIS2 covers a wide variety of sectors, DORA is tailored to the financial services industry and imposes stricter testing and security measures on financial institutions​.

Financial entities that fall under both directives must ensure compliance with both, meaning they will need to meet the specific obligations for each. For example, NIS2 is less demanding than DORA in terms of security testing, but companies in the financial sector still need to conduct stringent resilience testing under both.

Learn more about DORA Requirements and Pentesting.

Pentesting for NIS2 Compliance

NIS2 briefing emphasizes the necessity for testing and auditing cybersecurity measures to ensure their effectiveness in real-world scenarios. This is where pentesting becomes a vital tool. Pentesting simulates cyberattacks on an organization's systems to identify vulnerabilities and assess the robustness of current defenses.

By regularly conducting pentests, organizations can:

• Identify and mitigate vulnerabilities.
• Assess the effectiveness of incident response plans.
• Document improvements in security posture over time.
• Ensure ongoing compliance with NIS2’s risk management obligations.

Pentesting is particularly crucial for essential entities, which are subject to more rigorous testing and reporting requirements under the directive.

Achieve NIS2 Compliance with HackerOne’s Comprehensive Portfolio 

HackerOne provides a full suite of cybersecurity solutions to help organizations comply with the stringent requirements of the NIS2 Directive. Our portfolio includes Pentest as a Service (PTaaS) model, Vulnerability Disclosure Programs (VDP), and Bug Bounty programs. This integrated approach aligns seamlessly with NIS2’s mandates for continuous risk assessment, vulnerability management, and incident response, as outlined in the directive.

At the core, HackerOne Pentest delivers thorough, methodology-driven security testing conducted by vetted and highly skilled security researchers. In alignment with NIS2’s requirements for cybersecurity risk management and incident reporting, our pentest services help organizations establish, maintain, and test their cybersecurity measures as part of a comprehensive risk management framework. Each engagement provides detailed reports and audit-ready documentation to support compliance efforts, ensuring that your organization can demonstrate adherence to the NIS2 Directive’s requirements for cybersecurity resilience.

Our pentesting services are complemented by:

• VDPs: HackerOne Response aligns with NIS2’s incident reporting and also addresses the "vulnerability handling and disclosure" requirements, enabling organizations to continuously intake, manage, and respond to vulnerabilities reported by security researchers. These programs provide a structured approach for organizations to handle security incidents, as required by NIS2, ensuring timely identification and remediation of risks. HackerOne Essential VDP is a great place to get started, with a free self-serve VDP solution.
• Bug Bounty Programs: HackerOne Bounty offers continuous, human-powered security testing, allowing organizations to meet NIS2’s requirements for ongoing risk management. By inviting security researchers to identify vulnerabilities, Bug Bounty programs provide real-time insights into emerging threats. With HackerOne’s Managed Bug Bounty option, organizations can receive tailored support, including triaging vulnerabilities and providing detailed remediation recommendations. This ensures that critical systems and applications are constantly evaluated, addressing the needs for NIS2’s supply chain security and third-party risk management.

HackerOne’s human-powered, continuous approach ensures that organizations can meet NIS2’s demands for regular cybersecurity assessments and incident response procedures. By leveraging HackerOne's global network of security researchers, including EU-based security professionals, organizations can ensure that their cybersecurity defenses are thoroughly evaluated and aligned with the NIS2 Directive’s standards. Contact the HackerOne team to learn more.

The NIS2 Directive represents an essential evolution in the European Union's approach to cybersecurity, building upon the first NIS Directive. It responds to today’s more interconnected digital world and the growing sophistication of cyber threats. As cybercrime escalates, with global damage reaching $8.5 trillion in 2023, the need for robust, adaptable cybersecurity policies has never been more critical.

In fact, the Cloud Security Alliance’s Top Threats to Cloud Computing 2024 Report ranks the following concerns as the top three:

1. Misconfiguration and inadequate change control
2. Identity and Access Management (IAM)
3. Insecure Interfaces and APIs

To safeguard AWS environments, HackerOne offers a methodology-driven AWS security configuration review delivered via a Pentest as a Service (PTaaS) model. This approach connects organizations with a heavily vetted cohort of a global security researcher community for a comprehensive, end-to-end evaluation. Frequently performing dedicated reviews, using a community-driven PTaaS is crucial to finding vulnerabilities in your AWS resource configurations.

AWS Security Config Testing Methodologies

HackerOne’s AWS testing methodologies are grounded in the principles of the CIS Amazon Web Services Foundations Benchmark Level One and the Security Pillar of the AWS Well-Architected Framework. Additionally, our testing processes adhere to the standards required for CREST certification/accreditation, ensuring comprehensive and reliable assessments across various cloud environments, including AWS. Organizations using AWS can now better protect against risk and attacks with highly skilled AWS-Certified experts with specialized, proven expertise in vulnerabilities specific to the products and services in your AWS cloud environment.

Each security configuration review engagement by HackerOne focuses on the AWS services and configurations most critical to an organization’s cloud infrastructure security, including: 

• IAM

• Amazon S3 (Simple Storage Service)

• AWS Config

• CloudTrail

• Elastic Compute Cloud (EC2)

• Amazon Relational Database Services (RDS)

• Amazon Virtual Private Cloud (VPC)

Common AWS Vulnerabilities

The AWS operates with a Shared Responsibility Model that outlines the division of security responsibilities between AWS and its customers. AWS is responsible for the security of the underlying cloud infrastructure, while customers are responsible for the security of their data, applications, and configurations within the AWS environment. With the vast number of potential combinations of AWS services and their configurations, it can be easy to overlook vulnerabilities that can arise from misconfigurations.

IAM Misconfigurations

Service Control Policies (SCP) set broad, organization-wide permission boundaries. They define the maximum level of permissions that can be granted to an organization, organizational unit or account. SCPs enforce limits on what can be accessed or modified across your AWS environment.

By default, the FullAWSAccess policy is applied organization-wide, granting unrestricted access to all entities unless specific restrictions are configured.

On the other hand, the Identity and Access Management (IAM) service policies define the permissions of users, roles, and users within a certain user group. IAM allows for more precise and customized access control within the defined limits set by SCPs. A lack of Multi-Factor Authentication (MFA) and password/access key mismanagement can result in unauthorized access to your AWS account. 

Excessive permission configurations can also lead to unauthorized access to resources. For example, the incorrect usage of wildcard characters (*) within these policies could lead to privilege escalation attack vectors. To illustrate, the following policy file JSON block could be abused:

This policy configuration allows the iam:AttachUserPolicy action for all users within the AWS account. This means any user could attach any IAM policy to any other user in the account, including themselves. With this excessive permission configuration, a user could grant themselves a policy that includes administrative functionality.

During the HackerOne security review, IAM policies will be thoroughly assessed to verify adherence to the principle of least privilege, ensuring that users and services are provisioned with only the minimum permissions required for their specific roles and functions.

Security Group & Network ACL Misconfigurations

A security group acts as a virtual firewall to AWS resources such as Elastic Cloud Compute (EC2) instances by controlling inbound and outbound traffic based on rule sets. Whereas a network access control list (ACL) applies inbound and outbound rules to an entire Amazon Virtual Private Cloud (VPC) subnet or group of subnets.

The rules of both security measures enable you to allow or deny traffic based on criteria such as the traffic source and destination, protocol, and port or port range.

Misconfigurations of both security groups and ACLs could result in unfiltered ingress and egress network traffic leading to unauthorized access of critical systems such as internal applications or databases. Overly restrictive configurations can be just as problematic as they could block legitimate users or resources from accessing necessary resources.

As part of the HackerOne security assessment, Security Groups and Network Access Control Lists (NACLs) will be meticulously evaluated to identify potential misconfigurations. The review will focus on ensuring that these network controls implement the principle of least privilege, allowing only necessary traffic while blocking unauthorized access to maintain a robust security posture for resources.

S3 Misconfigurations

Amazon Simple Storage Service (S3) is an AWS data storage service that uses “buckets” as containers to store objects.

By default, new buckets, their access points and stored objects are private by default. Public access is granted to buckets through access control lists, access point policies, and bucket policies.

However, unintentionally making private buckets public or accidentally storing sensitive information in a bucket that is intended to be public can expose sensitive data to anyone who can obtain the bucket’s URL, leading to significant data breaches. Even private buckets may be compromised without proper authentication, encryption, and operation permission configurations in place.

The consequences of such data breaches can result in financial loss, legal ramifications, regulatory compliance violations, and damage to an organization’s reputation.

S3 buckets can also be used to carry out a subdomain takeover. A subdomain takeover vulnerability occurs when a subdomain points to a service that is no longer used. In this case, that service is S3.

When creating a bucket, the given name is combined with an Amazon S3 URL which is referred to as an endpoint.

Since buckets are accessible over the web, they can be used to store web assets such as images, videos or even entire static websites. For buckets configured to host websites, the bucket name is used as a subdomain to the region-specific endpoint. Depending on your region, the website endpoint will either use a dot or hyphen as a delimiter character in the region portion, such as:

• http://[bucket-name].[s3-website-region].amazonaws.com
• http://[bucket-name].[s3-website.region].amazonaws.com

Once claimed, the bucket name is reserved and cannot be reclaimed unless the original bucket is deleted. A DNS CNAME record can then be created to alias an arbitrary subdomain to the canonical S3 URL.

Once an organization deletes a bucket and the associated bucket name is released - if the CNAME record is not removed as well, anyone could reclaim the bucket name and host arbitrary content under the original organization’s subdomain. This can also lead to additional vulnerabilities in cases when external references still source content from the now-compromised subdomain.

HackerOne's security assessment will examine S3 bucket configurations to identify potential misconfigurations, ensuring proper access controls, encryption settings, and versioning are in place to protect sensitive data stored in the cloud.

CloudTrail Misconfigurations

AWS CloudTrail tracks and logs every API call made to every resource in your AWS account, enhancing security by ensuring compliance with internal policies and regulatory standards. It provides continuous monitoring and generates log files of events allowing you to identify suspicious activities.

While CloudTrail is automatically enabled, the default configuration will only provide a log file of the past 90 days of events of only one event type. Manual configurations must be made in order to persist log files, log events in all regions, log additional event types, enable log file integrity and implement access control to the S3 buckets they are stored in.

AWS Configuration Review Best Practices

Careful Scoping

Having the right scope is crucial to a successful pentest—what is being tested can be just as important as how it is being tested. An AWS environment can be vast, with various resources and services distributed throughout. Combining an AWS Config review with both internal network and web application penetration testing for cloud-hosted systems offers a comprehensive security assessment. This integrated approach provides pentesters with a holistic view of the environment, leading to more effective and thorough results.

By strategically selecting targets within your cloud environment, you can ensure quality time can be dedicated towards your most critical cloud assets. This curation can mean the difference between an inconsequential configuration review and a valuable review that discovers high-impact vulnerabilities. HackerOne assesses your assets in order to provide guidance on which ones to include and delivers a quote tailored to your specific requirements.

Skills-Based Tester Matching

Traditional consultancies often rely on in-house pentesters with general skills. However, AWS configuration review requires specialized knowledge of the AWS environment and cloud security practices.

With HackerOne, customers gain access to a diverse pool of elite, vetted security researchers who bring a wide range of skills, certifications, and experience specific to AWS. The HackerOne platform tracks each researcher's skill set based on their track record and matches the most suitable researchers for each engagement. The community-driven PTaaS approach delivers comprehensive coverage, versatility, and the highest-quality results tailored to the products and services of your AWS environments.

Case Study: An “Erratic” Breach

In 2019, Paige Thompson, a former AWS engineer exploited a misconfigured web application firewall (WAF) protecting an EC2 instance of Capital One. This led to the exfiltration of the sensitive private credit card application data of 106 million individuals.

Due to the WAF misconfiguration, external malicious requests were able to reach internal resources. Thompson, who went by the username “erratic” online, was able to query the AWS metadata service once she bypassed the firewall. The metadata service returned information about the IAM role that was attached to the EC2 instance, including a temporary access token for the role. The user role has excessive privileges that allowed Thompson to list and access the S3 buckets containing the sensitive data.

Even though the data was encrypted, the role also allowed for decryption, which led to Thompson downloading nearly 700 S3 buckets worth of credit card application data.

HackerOne PTaaS for AWS Cloud Review

By choosing HackerOne as your partner in pentesting, your organization can fully benefit from the community-driven PTaaS model. The HackerOne Platform streamlines the entire pentest process to deliver the greatest return on investment in risk reduction.

With the integration of HackerOne in the AWS Security Hub, AWS customers can sync all vulnerability findings into a single console for management and prioritization. The Security Hub findings can also be compared to those found by the HackerOne community, in order to match duplicates, understand status, and plan remediation.

Our diverse community of AWS-Certified security researchers brings the expertise needed to thoroughly audit your AWS cloud environment configurations for vulnerabilities. You will extend your attack surface coverage and be able to address vulnerabilities arising from cloud misconfigurations. Instead of switching pentest vendors to find diverse testing expertise, you find it all in this talented community of certified hackers. Contact the HackerOne team today to get started.

As more and more organizations turn to Amazon Web Services (AWS) solutions to address their IT needs, these environments become highly attractive targets for cybercriminals seeking to exploit misconfigurations.

Testing Methodologies

HackerOne's testing methodologies are grounded in the principles of the PTES, OSSTMM, NIST SP 800-115, and CREST and can be tailored to various assessment types including internal networks. Our methodology is continuously evolving to ensure comprehensive coverage for each pentesting engagement. This approach stems from:

• Consultations with both internal and external industry experts.
• Leveraging and adhering to recognized industry standards.
• Gleaning insights from a vast array of global customer programs, spanning both time-bound and ongoing engagements.
• Detailed analysis of millions of vulnerability reports we receive through our platform.

Threats are constantly evolving, so our methodology can't remain stagnant. HackerOne’s Delivery team, including experienced Technical Engagement Managers (TEMs), constantly refine and adapt based on feedback and real-world experiences, delivering unparalleled security assurance.

Common Internal Network Vulnerabilities

General Network Security Issues

Network segmentation is the practice of isolating portions of the network to enhance security. By partitioning the network into portions based on characteristics such as organization department or privilege requirements, adversaries will be cordoned off from the network in its entirety in the event of unauthorized network access. This means additional attack techniques will be required to pivot between sections. This can be achieved through the use of components such as firewalls, switches, and routers.

Misconfigurations in network ingress and egress points can result in devastating security incidents. For instance, applications and databases meant for internal usage can expose sensitive data if accidentally placed into a subnet with a routing table and gateway that allows for public access over the Internet. Insufficient segmentation can also lead to non-compliance with applicable industry regulations such as GDPR, HIPAA, or NIST 800-53.

Using unencrypted protocols that transmit data across a network in plaintext can also lead to security breaches. Any malicious attackers that gain local access can utilize network traffic inspection tools in order to obtain sensitive data without needing to convert it into a human-readable format. Protocols such as the File Transfer Protocol (FTP) and Network File System (NFS) should be replaced with their secure, encrypted variants (SFTP, SNFS).

A lack of credential security best practices can and often causes security breaches. By not enforcing security measures such as credential rotation schedules, strength requirements, and Multi-Factor Authentication (MFA), accounts can be hijacked trivially using techniques such as dictionary attacks.

Vulnerabilities Specific to Microsoft Environments

Microsoft Active Directory (AD) is one of the most widespread technologies in internal networks. AD services are used for centralizing, inventory management, and configuring machines and users across an organization. AD is often tied to Microsoft 365/Azure via various hybrid models.

The use of outdated protocols, insecure cryptography, and a myriad of access control misconfigurations can lead to vulnerabilities that result in stolen credentials, domain/privilege escalation, and persistence.

ADCS

Active Directory Certificate Services (ADCS) is a Windows Server role used to issue and manage public-key infrastructure (PKI) certificates. These certificates are used to encrypt and digitally sign data and also provide a means of authentication by linking certificate keys with computer, user, or device accounts on the network. Through the use of certificate templates, administrators can specify settings such as:

• How long a certificate is valid for
• The purpose of a certificate (client/server authentication, code signing, etc.)
• How the account is identified
• Who is allowed to request a certificate

When a client requests a certificate, they generate asymmetric keys and include the public key in a Certificate Signing Request (CSR). The CSR also includes the name of the desired template and the identity of the requesting client. Certificates are issued by the Enterprise Certificate Authority (CA) only after it verifies that the client is permitted to request the certificate based on the settings of the template. If the client’s request is permitted, the CA signs the certificate and sends it to the client. These asymmetric keys can then be used as proof to ensure certain operations are only executed by the intended entities.

Issues arise when these certificate templates are misconfigured. For convenience, Subject Alternative Names (SAN) can be used to attach cross-domain users to a certificate. While this simplifies access control to domain resources, if misconfigured, malicious attackers could arbitrarily define the SAN and gain privileged access across domains and services within the AD. Additionally, under certain conditions, if a certificate template includes the Any Purpose Extended Key Usage (EKU) attribute or lacks EKU settings, an attacker can abuse it to perform any sensitive action.

NTLM

Windows New Technology LAN Manager (NTLM), is an older authentication protocol suite with known vulnerabilities and is considered outdated. Despite this, it is still supported and widely used in order to maintain backward compatibility with legacy systems.

NTLM authentication produces hash digests of user-supplied credentials. These hash values are then used to satisfy challenges enforced by servers that are part of a three-way handshake. An infamous attack against this method of authentication is known as the NTLM Relay attack. In this attack, adversaries position themselves using Man-in-the-Middle (MitM) techniques to sniff network traffic. Due to the fact that the three-way handshake of the challenge process is transmitted unencrypted, if an attacker is able to intercept a valid challenge response and relays it to the target server – they will be authenticated in place of the legitimate client. This completely avoids the need for “cracking” a hash to discover its plaintext equivalent.

If network devices have open Server Message Block (SMB) ports and signing is either disabled or not enforced, this vantage point can lead to the attacker gaining file system and code execution on impacted systems.

Kerberos

Kerberos is the latest authentication protocol used in AD, utilizing a number of various components in order to identify entities and provide information about the privileges they hold. While this information is provided, the responsibility of verifying resource access falls on the service itself. Kerberos differs from NTLM as it leverages encryption rather than hash digests. It is composed of two main components: Agents and Tickets.

Agents represent the entities involved. Clients access services that are hosted by Application Servers (AP). Tickets are used to perform actions and are issued by the Key Distribution Center (KDC). The KDC receives Ticket Granting Ticket (TGT) requests for tickets used to authenticate against services. The tickets used for authentication are known as Ticket Granting Service (TGS) tickets. Included in the majority of tickets is what is known as a Privilege Attribute Certificate (PAC). The PAC specifies the privileges of the associated user and is signed with the KDC key.

To facilitate all of this communication, messages are used within the Kerberos environment. Messages contain information such as the username, timestamp, and service, and authentication is achieved through the transmission and processing of messages.

There are a variety of different attacks against Kerberos, though all seek to gain unauthorized access to services. If a malicious attacker is able to obtain tokens such as a user’s hash or session key, Overpass the Hash/Pass the Key attacks can be used to impersonate the victim user. Hashes can be extracted from SAM and NTDS.DIT files as well as from process memory. If an attacker is local and performs a MitM attack to obtain issued tickets, users can also be impersonated in a Pass the Ticket attack. Tickets can also be forged in certain cases when threat actors perform Golden Ticket and Silver Ticket attacks. In addition to all these, account passwords can be cracked in Kerberoasting and ASREPRoast attacks.

DACL

Access rights to objects in AD are defined using Access Control Entries (ACE) which define the permissions associated with an entity. Discretionary Access Control Lists (DACL) are then attached to objects and list the ACEs protecting them. If permissions are misconfigured, unauthorized access to resources can occur.

ACE permission constants that can lead to vulnerabilities include:

• ADS_RIGHT_DELETE (DE): Allows for the deletion of the object.
• ADS_RIGHT_WRITE_DAC (WD): Grants the right to modify the object’s DACL.
• ADS_RIGHT_DS_WRITE_PROP (WP): The right to edit an object’s attributes.
• ADS_RIGHT_DS_CONTROL_ACCESS (CA): Allows for “Extended rights” to be performed.
• User-Force-Change-Password (00299570-246d-11d0-a768-00aa006e0529): This allows for the password protecting the object to be changed without knowledge of the current password.

Internal Network Testing Best Practices

Careful Scoping

Having the right scope is crucial to a successful pentest. The scope you set should align with your testing goals. For exhaustiveness, it's best to allow pentesters as much room as possible to move around in your network and include anything they can discover. 

However, with limited resources and time, certain attacks and tests should be prioritized to save time and focus on what's more important. You can also set specific desirable goals for them to focus on, such as gaining access to customer data from an internal account or breaching high-level corporate employees. HackerOne evaluates your assets to accurately determine the appropriate pentest conditions and provides a customized quote tailored to your specific pentest requirements.

Download the Pre-Pentest Checklist to address crucial questions before your next pentest.

Skills-Based Tester Matching

While traditional consultancies may offer dedicated internal network pentesters, they often rely on generalists with limited specialization. However, for effective internal network testing, it’s crucial to engage experts who understand the complexities of Active Directory, lateral movement in hybrid environments, and the nuances of your specific internal technology stack.

HackerOne Pentest, delivered through a Pentest as a Service (PTaaS) model, provides access to a global community of elite, vetted security researchers with specialized skills. These experts are proficient in technologies like Active Directory, Kerberos exploitation, NTLM relay attacks, and navigating complex multi-operating system environments. By tracking each researcher's expertise and certifications—ranging from Windows and Linux infrastructure to advanced privilege escalation techniques—HackerOne ensures the most suitable specialists are matched for each engagement. This tailored approach results in the discovery of high and critical severity findings that often elude more general approaches, delivering the comprehensive and deep coverage internal networks require.

With HackerOne's community-driven PTaaS model, customers receive versatile, high-quality results, uniquely aligned with the specific assets and technology stacks present in their internal networks.

Zero Trust Internal Network Access

Providing a tester adequate access to an internal network environment can be a tricky and frustrating task. In traditional pentest offerings, this can be a major pain point for both the organization and the testers. 

Security teams may need to reluctantly adjust firewall rules, add additional VPN accounts, and grant access to virtual desktops, compromising their environment’s security to facilitate testing. This has a big impact on pentester productivity, as slow network access, laggy virtual desktops, and cumbersome configurations waste energy and valuable testing time.

HackerOne's new Gateway offers a Zero Trust tunnel using Cloudflare's WARP technology to connect pentesters in a secure and fast manner to internal target assets. It uses a client installed on the tester's endpoints that authenticates their identity and device to the private network, and allows customers to easily grant, revoke and audit tester access to applications wherever they are in the world. It can be used during an internal network pentest to provision network access for specific internal network ranges, and enable connectivity to any internal services for testing.

The use of Zero Trust Network Access (ZTNA) for pentesting is a rare sight in traditional pentest offerings or even other PTaaS platforms, and greatly enhances both network security and tester productivity during engagements. The HackerOne Gateway offers a significant improvement in performance and security for internal network pentests compared to inconsistent and slow VPNs.

Discover how zero trust control enhances internal network testing.

Case Study: NotPetya

In 2017 the Kremlin linked APT group known as Fancy Bear, unleashed the devastating NotPetya malware upon its neighboring country Ukraine. The malware overwrote the Master Boot Record of affected systems with a malicious payload. When machines rebooted, the inserted code encrypted the files on the system.

NotPetya, a combination of EternalBlue and EternalRomance (exploits developed by the U.S. NSA and leaked by a group known as the Shadow Brokers), alongside a modified Mimikatz integration was able to rapidly spread throughout infected networks using lateral movement techniques. The custom Mimikatz version allowed attackers to steal Windows credentials and execute all the NTLM and Kerberos attacks discussed earlier.

Even though the intended target was Ukraine, due to its worming capabilities, NotPetya propagated beyond the confines of Russia’s neighbor, reaching organizations globally within hours.

Shipping and logistics giant, Maersk, was hit especially hard. The NotPetya malware, according to Maersk’s CISO Andy Powell, nearly wiped out all online backups of the company’s Active Directory. 

Maersk’s network, which had been brought to its knees within seven minutes, was only restored using a backup that had been saved in their Nigerian office due to a power outage. The company reported $300 million in losses following the attack. Globally, NotPetya was responsible for over $10 billion in damages.

HackerOne Optimizes Internal Network Pentests Through Community-driven PTaaS

By choosing HackerOne as your partner in pentesting, your organization can fully benefit from the community-driven PTaaS model. The HackerOne Platform simplifies pentest requests, asset onboarding, and researcher enlistment, making the process swift and efficient.

Our community of security researchers brings the expertise needed to thoroughly audit your internal networks for vulnerabilities. You will extend your attack surface coverage and be able to address vulnerabilities arising from a variety of technology stacks. With rapid setup, continuous monitoring, and prompt retesting of fixes, HackerOne safeguards your internal network assets in an ever-changing threat landscape.

Even if your internal network is shielded by firewalls and virtual private networks (VPNs), isolating it from the open internet – it remains vulnerable to threats. If not properly secured, internal networks can be compromised by threat actors such as nation-state advanced persistent threat (APT) groups, ransomware gangs, or malicious insiders. With limited or no segmentation, these networks offer a direct path for attackers to move laterally, escalate privileges, and ultimately access your most sensitive data. To safeguard internal networks, HackerOne offers a methodology-driven penetration testing (pentesting) solution delivered via a Pentest as a Service (PTaaS) model. This approach connects organizations with a heavily vetted cohort of a global ethical hacker community for comprehensive, end-to-end pentesting.

According to the 7th Annual Hacker-Powered Security Report, IDOR makes up 7% of the vulnerabilities reported via the HackerOne platform. Government agencies and automotive organizations saw particularly high incidences of IDOR reports, making up 15% of reports to government agencies and 11% of reports in the automotive sector. 

IDOR vulnerabilities can arise in a variety of components, including:

URL Query Parameters

Resources that are associated with query parameters in a URL address can be easily modified by end-users. For example:

By simply changing the numerical value of the id parameter that specifies which user account is displayed, a user could access the accounts of any other user as long as the supplied number was associated with an account. It occurs due to missing access control checks that fail to validate user permissions. In the absence of rate limiting implementation, automated tooling could iterate through a massive quantity of potential numerical values in a short amount of time.

Filenames can also be a possible attack vector for IDOR vulnerability exploitation. They can either be referenced directly for files within the same directory or with the use of directory traversal techniques (or simply supplying the absolute path), the entire file system can be exposed.

HTTP Requests

Hypertext Transport Protocol (HTTP) requests contain multiple different elements that could lead to IDOR exploitation, such as:

Headers: Request headers, such as Cookies serve as user identifiers in order to serve user specific resources. If the values lack sufficient entropy, valid values can be easily guessed. To illustrate, the following example uses a sessionid cookie with a length of only six characters. If every sessionid adheres to the same format of three lowercase letters with numbers populating the last three indices, the total number of possible unique combinations is 17,576,000. Again, without the protections offered by rate limiting, massive quantities of requests could be sent using automated tooling to enumerate active user sessions, leading to account takeover.

Body Data: Body data, in its multiple types can contain vulnerable parameters. For instance, the following form submission request to change the associated email address to an account could be exploited by malicious attackers to gain control over a victim account:

JSON data sent in API requests can also be a vulnerability source:

HTTP Responses

Responses can also include vulnerable headers and body data. For example, consider a web application using feature flags in order to display different elements of the user interface depending on the user’s role. Utilizing match-and-replace rules could facilitate IDOR vulnerabilities. The HTML file served in the response could contain a parameter similar to the following:

Setting the value of isAdmin to true may enable portions of the user interface that are only intended for legitimate website administrators.

The Exploit

On September 27th 2022, security researcher reachaxis submitted a report describing an IDOR vulnerability they discovered on https://mtnmobad.mtnbusiness.com.ng/. Due to a lack of authorization verification, remote users were able to alter the account information of any other user.

The information that was able to be changed included the username, company name, address, company size, and critically the mobile phone number of the associated account.

As this web application provided accounts for advertising partners, an attacker could have negatively impersonated the affected company using the supplied phone number. Due to this, the finding was rated as Critical in severity.

Steps to Reproduce

1. Two accounts were created: one representative of the victim and the other assuming the role of an attacker.

2. Both accounts were logged into using separate browsers to avoid session conflict issues.

3. In the response to the POST request made to the /app/dashboardData endpoint, the account id  and email associated with other accounts could be obtained.

4. The form used to update account information was located at https://mtnmobad.mtnbusiness.com.ng/#/UserProfile. Submitting the form generated a request to the /app/updateUser endpoint.

5. By submitting the form in the attacker’s session and intercepting the subsequent request to /app/updateUser using an HTTP proxy tool, the request could be modified.

6. By replacing the account ID and email to match the victim’s, the username, company name, address, company size, and mobile phone number associated with the victim's account could be changed to arbitrary values.

Protecting Against IDOR Attacks

As IDOR vulnerabilities are considered to be a subset of access control vulnerabilities, the implementation of proper authorization mechanisms could have prevented this vulnerability.

The disclosure of sensitive data, such as the account identifier and email address of other accounts, to all users was key in exploiting this vulnerability. Without knowing the email address associated with the victim's account, an adversary would have had a much more difficult time exploiting this vulnerability.

On the other hand, had the attacker only known the email address of the victim's account, it is worth noting that the account identifier was only three digits in length, meaning there were only 1,000 possible unique combinations. If an attacker supplied a valid email address, by utilizing automated tooling, the matching account identifier could have been discovered in a very short amount of time.

To remediate IDOR vulnerabilities that arise in a similar nature, the following best practices should be adhered to:

• Automated tooling should not be relied upon solely to identify possible IDOR vulnerabilities. Manual review is the best method to identify areas of your application that can be a source of these issues as a deep understanding of the underlying logic of your application is required.
• Developers should avoid publicly displaying references to objects, as in this case, it only required the enumeration of two objects (the target id and email) in order to carry out an attack.
• Any references to resources should be cryptographically strong random values rather than short-length numerical, possibly sequential, values. These obfuscated values can then be mapped back to their original reference so the application can match the two. Note that this is considered a defense-in-depth measure and should not be relied upon solely.
• In order to counter automated tooling, rate limit protections can be integrated to ensure requests are processed at a rate realistic to normal user activity levels.
• Enforce authorization checks to verify that the correct users only access resources intended for them. By correlating the appropriate resources to a user’s session, unauthorized access to additional resources can be mitigated. There are web frameworks that often provide ways to facilitate this.

Conclusion

The presence of IDOR vulnerabilities can lead to severe consequences for an organization and its users. By adhering to security best practices, the risk of falling victim to an attack of this type can be greatly reduced. By understanding how they occur and how they are exploited, you and your team will be able to identify potential conditions that would result in an IDOR vulnerability.

Applications can be compromised when access to resources (objects) is accomplished with the use of identifiers that are exposed to end-users. Without proper access controls, this exposure can lead to end-users modifying the identifier and gaining unauthorized access to resources not intended for them. This type of vulnerability is known as an Insecure Direct Object Reference (IDOR).

Pentesting has been around for decades, but it hasn’t undergone the revolution that other security practices have. Organizations tend to rely on pentesting as a tool to just “check-the-box” for compliance, rather than something that actually protects their brand and customers.

Traditional pentesting engagements are slow, take up excessive bandwidth, and don’t deliver impactful results. In this blog, I will look at the common mistakes organizations make with their pentests and show how by leveraging the power of the pentester community and the efficiency of a Pentest as a Service (PTaaS) platform, pentesting can add real value to your organization.

Problem 1: Pententers Are Inexperienced

When customers tell me about their experiences with traditional vendors, they mention that they often don’t get an entire team of experienced pentesters. More often than not, they get a team mostly composed of junior pentesters with limited experience who work with a more senior pentester with more experience. As a result, the senior pentester is forced to split their time between testing, teaching, and reporting, and the customer doesn’t get the full value. 

HackerOne pentesters are an elite subset of our community that is hand-selected and vetted by our Community team. As part of the vetting process, the Community team evaluates their past professional pentest experience, their performance on other HackerOne programs, and their certifications and other credentials. Due to the high standards we maintain for our pentesters, 65% of our community has over 5 years of experience with pentesting. This means that our customers are getting experienced, credentialed testers with every pentest.

Problem 2: Pentesting Is Too Checklist-Driven

Pentesting is methodology-driven by nature, but oftentimes traditional pentest firms are more focused on moving through a checklist than actually finding vulnerabilities. Because most of our Pentest Community also participates in Bug Bounty Programs, they are used to thinking like a real-world adversary and identifying hard-to-find vulnerabilities in your systems before criminals do. We also encourage this creativity by budgeting unstructured testing time to go alongside the time budgeted for the HackerOne pentest methodology.

Problem 3: Limited Pool of Talent

Customers are used to rotating traditional pentest vendors in order to get a fresh perspective on the assets they are testing. This is because these vendors typically don’t have a deep bench of talent, meaning the only way to get a new perspective is to bring in another vendor. However, bringing on other vendors means that the security team has to spend time getting them onboarded and reduces their focus on improving the security of their products.

Because of HackerOne’s community model, we have hundreds of pentesters on our bench. This means that our customers can rotate pentesters to get a fresh perspective, without needing to onboard another vendor. Because of the depth and breadth of talent among our pentesters, they have a broad range of experience across many different types of assets and vulnerability classes. This means that we can source the right talent for our customer’s tests in a short period of time. By leveraging experienced security researchers for pentesting, 20% of HackerOne vulnerability findings in a pentest are high or critical severity, which is roughly double the industry standard.

Problem 4: Slow Time To Results

Organizations are often frustrated with the amount of time it can take to kick off a pentesting program and receive tangible results. 

The time it takes to identify and report vulnerabilities is one of the most common complaints of pentesting. Industry-standard pentests take at least two weeks after the pentest concludes to get results together and deliver them to the customer. With HackerOne’s pentests:

Because of our PTaaS platform, customers also receive these vulnerability findings in real time. This means that oftentimes they have remediated the vulnerability and had it retested by the time that the pentest concludes.

Problem 5: No Visibility Throughout The Process

Another consistent shortcoming of pentesting is the lack of visibility into real-time activity and results. Many organizations don’t have access to a centralized location through which to view performance and communicate with pentesters.

Our community of pentesters reports their findings using the HackerOne PTaaS platform. The platform gives our customers real-time visibility into the progress of each pentest, so that they understand where a pentest is at any given point in time. Customers also manage all aspects of their pentest engagements through the platform, from scoping to testing and reporting to remediation. This makes it very easy for our customers to launch a pentest quickly because it is all done out of the platform, rather than coordinated via back-and-forth emails.

Problem 6: Lack of Communication With Pentesters

A traditional pentest tends to be a black box in the sense that there is very little communication that happens throughout the test. The test kicks off and runs for a few weeks, concludes, and then a report is delivered a couple of weeks after that. 

With HackerOne’s Pentest, those responsible for their organization’s pentests have a direct line of communication with both the pentesters and our Technical Engagement Managers, who manage the pentest, via Slack. You get regular status updates from your pentest team, and the open communication helps the tests run efficiently.

Problem 7: Pentesting Isn’t Integrated With Remediation

Even with a streamlined platform and communication with pentesters, the results are only as good as an organization’s ability to quickly and efficiently address vulnerabilities. This requires thoughtful integrations into ongoing tools and processes.

For organizations that want to integrate with their ticketing systems and other SDLC tools, the platform offers over 20 bidirectional, purpose-built integrations, plus APIs to add more. This helps streamline the remediation process- no more copying and pasting vulnerabilities from a PDF report in order to get them to your development team for a fix! 

Combine the Convenience of PTaaS With the Power of the Pentest Community

Combining the security expertise of our pentester community with the efficiencies of our PTaaS platform reduces threat exposure across your attack surface. Perhaps most importantly, we find customers really value the direct engagement and practical knowledge that comes from working with our skilled pentesters. It energizes and educates security teams because it’s a very interactive and transparent process.

If you’d like to see how our pentesters can uplevel your pentest program or your broader security program, reach out to the team at HackerOne.

Pentesting is overdue for a refresh.

Pentest reports are a requirement for many security compliance certifications (such as GDPR and HIPAA), and having regular pentest reports on hand can also signal to high-value customers that you care about the security of your mobile applications, boosting customer trust and brand loyalty.

In this blog, we’ll cover some of the most important aspects of pentesting for iOS mobile applications. Jump to a topic using the links below:

• iOS Testing Methodologies
• Common iOS Vulnerabilities
• iOS Pentesting Best Practices
• Case Study: Doorbell Camera App Leaks User Location

iOS Testing Methodologies

HackerOne's iOS testing methodologies are informed by established standards such as the PTES, OWASP Mobile Top 10, and the OWASP Mobile Application Security Testing Guide (MASTG). Additionally, our testing processes adhere to the standards required for CREST certification/accreditation, ensuring comprehensive and reliable assessments across various application types, including mobile applications.

Our methodology is continuously evolving to ensure comprehensive coverage for each pentesting engagement. This approach stems from:

• Consultations with both internal and external industry experts.
• Leveraging and adhering to recognized industry standards.
• Incorporating feedback and insights from our pentesters, who bring valuable experience from their full-time roles outside of HackerOne, enabling us to deliver highly technical, in-depth testing.
• Gleaning insights from a vast array of global customer programs, spanning both time-bound and ongoing engagements.
• Detailed analysis of millions of vulnerability reports we receive through our platform (see the Hacktivity page for details).

Threats are constantly evolving, so our methodology can't remain stagnant. HackerOne’s Delivery team, including experienced Technical Engagement Managers (TEMs), constantly refine and adapt based on feedback and real-world experiences, delivering unparalleled security assurance.

Common iOS Vulnerabilities

Improper Credential Usage

Improper credential usage is very common in mobile applications, particularly those with backend APIs or databases that require authentication. This often results in credentials being hardcoded within the application. Improper credential usage also includes the insecure transmission of authentication materials, such as the lack of TLS encryption during transit, and the insecure storage of user credentials, such as failing to use the iOS sandbox model to secure data access against other apps.

For example, hardcoded API keys like AWS access keys or Google Maps API keys can be easily extracted from the application package. An attacker who obtains these keys could interact with backend services, potentially exposing sensitive data about other users, initiating unauthorized transactions, or even compromising the organization’s cloud infrastructure. If an AWS key is exposed, the attacker could gain access to cloud resources, modify configurations, or extract critical data, leading to significant financial and reputational damage.

Additionally, some applications store sensitive information, like OAuth tokens or user credentials, in insecure storage areas such as plain text files or unprotected databases. Mobile malware can exploit these weaknesses to harvest credentials, allowing attackers to impersonate users or gain unauthorized access to private information, leading to data breaches or identity theft.

Testing for improper credential usage is straightforward and typically involves scanning extracted application files for secrets, analyzing the source code for where credentials are transmitted or stored, and checking for the use of secure channels like TLS. This vulnerability is particularly prevalent in untested applications, where significant credential misuse is often uncovered during the first test. The discovery of hardcoded credentials, insecure storage practices, and unencrypted transmission underscores the critical importance of regular pentesting for mobile applications.

Insecure Authentication or Authorization

Mobile applications often serve as a front end for APIs and web services, making insecure authentication or authorization issues prevalent. If a mobile app acts as an authorized agent to query backend data without proper security, an attacker could mimic this interaction to access sensitive data or execute actions anonymously. This risk increases when the associated API is also in scope, as vulnerabilities in the API can directly affect the mobile app's security.

Third-party authentication mechanisms, like signing in with Apple ID or social media accounts, introduce additional attack surfaces, particularly in account creation and recovery flows. For example, flaws in OAuth implementation or token validation could allow unauthorized access.

Mobile apps may also include local authentication methods, such as user-specified PINs or passwords. Vulnerabilities in-app logic or misuse of iOS native APIs could lead to bypassing these protections. Ensuring both local and remote access controls are tested and secured is crucial.

Inadequate Privacy Controls

Getting privacy rights is important, but even more so on mobile applications, as mobile devices contain a lot of Personally Identifiable Information (PII). Operating systems like iOS place a strong emphasis on privacy, constantly updating their controls to ensure that data access is granted only with explicit user consent. If your application isn’t tested for compliance with legal privacy regulations like GDPR, CCPA, or emerging laws such as India’s Digital Personal Data Protection Act (DPDPA), it could face regulatory penalties or struggle to access the data necessary for its functionality.

Inadequate privacy controls can also intersect with other vulnerabilities, such as insecure authentication or authorization, or improper storage of credentials. For example, if broken access controls in the backend API allow a user to access another user’s sensitive data, or if sensitive data is improperly cached on the device, it could lead to a serious data breach. Such incidents not only violate privacy regulations but can also severely damage an organization’s reputation.

We've seen reports of specific privacy-impacting vulnerabilities, including improper handling of OAuth tokens, lack of encryption for sensitive data stored on devices, and insufficient user consent mechanisms for accessing personal data. Addressing privacy control issues requires expert knowledge of mobile operating systems, application data handling, privacy policies, and relevant regulatory frameworks. Testing for these issues is crucial to ensure compliance and protect user data.

iOS Best Practices

Careful Scoping

Having the right scope is crucial to a successful pentest—what is being tested can be just as important as how it is done. Modern iOS applications can be complex, with various features, frameworks, APIs, and integrations.

With limited time and resources for each pentest, selecting critical targets within the iOS application can make the difference between a low-value report and a successful pentest with high-impact findings. For instance, focusing on testing complex authentication mechanisms, data storage, inter-app communication, and the APIs that the iOS app interfaces with can yield more significant results than testing superficial UI elements. HackerOne evaluates your assets to accurately determine the needed pentest size and provides a customized quote tailored to your specific pentest requirements.

Read the Pre-Pentest Checklist Series Part 1 and Part 2 to address crucial questions before your next pentest.

Skills-Based Tester Matching

Traditional consultancies often rely on in-house pentesters with general skills. However, iOS pentesting requires specialized knowledge of iOS architecture, Swift/Objective-C coding, and mobile security practices, which many firms lack.

With HackerOne Pentest, delivered via a Pentest as a Service (PTaaS) model, customers gain access to a diverse pool of elite, vetted security researchers who bring a wide range of skills, certifications, and experience. The HackerOne platform keeps track of each researcher's skill set based on their track record and matches the most suitable researchers for each engagement. The community-driven PTaaS approach delivers comprehensive coverage, versatility, and the highest-quality results tailored to the types of assets and technology stacks of your mobile applications.  

Case Study: Doorbell Camera App Leaks User Location

Amazon's Ring Neighbours app allows users to publicly share Ring camera feeds online. In 2021, the organization had a data breach that leaked the precise location and home address of its users. Although the precise location was not visible in the application, the underlying API responses of the users' posts leaked the longitude, latitude and home addresses of users who posted through the app. Even though not all posts were displayed to the user, the ID number of each post was incremental — meaning that an attacker could query the same API for all existing posts by changing the post number, and get more sensitive data. At the time, there were about 4 million posts in total - that's a lot of home addresses.

Inspecting and manipulating API requests is often the first or second step taken in a mobile application pentest, meaning that given a thorough pentest of this mobile application, the vulnerability would've easily been found and the data breach avoided. Privacy issues like these have been found and disclosed on HackerOne's programs, such as when Nextcloud's mobile application leaked file search records to the server during a local search, or the lack of anonymization of analytics data on the Nord VPN app. 

Both of those reports demonstrated that the researcher had an in-depth understanding of the application's data and privacy model, and hackers like them will be pentesting iOS applications for your organization.

Why HackerOne is the Best Option for iOS Pentests

By choosing HackerOne as your partner in pentesting, your organization can fully benefit from the community-driven PTaaS model. The HackerOne Platform simplifies pentest requests, asset onboarding, and researcher enlistment, making the process swift and efficient. 

Our community of iOS experts brings deep knowledge of Apple's ecosystem, Swift, Objective-C, and the iOS platform, providing comprehensive coverage of OWASP Mobile Top 10 risks and additional concerns like app extension vulnerabilities and iCloud data syncing issues. Utilizing advanced tools such as Frida and Objection, manual testing techniques, and custom scripts, HackerOne Pentests simulate real-world attack scenarios going beyond automated scans. 

HackerOne's pentest reports help executives and cybersecurity engineers harden iOS apps against breaches that could lead to fines or penalties under GDPR and CCPA. Our iOS pentests offer critical protection in an evolving threat landscape by providing guidance on implementing Apple's latest security features. With the rapid setup, effective assessments, and prompt retesting, HackerOne supports organizations in reducing breach risks and helping fulfill compliance.

With the right blend of crowdsourced security, technical expertise, and technology, HackerOne is the ideal choice for your iOS mobile application pentests. To learn more or get started on your first pentest with HackerOne, contact our team of experts today.

From private messaging to mobile banking, billions of people around the world rely on iOS applications to provide real-time access to services while protecting their most sensitive data — data highly sought after by attackers. To safeguard these applications, HackerOne offers a methodology-driven penetration testing (pentesting) solution delivered via a Pentest as a Service (PTaaS) model. This approach connects organizations with a heavily vetted cohort of a global ethical hacker community for comprehensive, end-to-end pentesting. Frequently performing dedicated pentesting, using a community-driven PTaaS is crucial to finding vulnerabilities in your mobile applications and quickly remediating them to reduce risk.

Our Solution: Precision Internal Network Testing with Zero Trust Control

We are excited to introduce Gateway Internal Network Testing (INT) as the latest enhancement to HackerOne Gateway, powered by Cloudflare’s Zero Trust Network Access (ZTNA) technology. Gateway is one of the key components of the HackerOne Platform, providing superior control and precision in managing security program traffic. Gateway INT addresses the critical need for secure and efficient internal network testing by routing all security program traffic through the same ZTNA. This provides the additional traceability required in regulated and compliance-driven industries, enabling external security researchers to conduct thorough testing of pre-production assets with access mechanisms built on the enhanced security principles of zero trust.

Gateway features a split tunnel, researcher-level segregation, and logging with TLS decryption, ensuring visibility and control over all testing activities. Gateway INT seamlessly integrates advanced firewall protection and industry-standard security protocols, including Cloudflare Tunnel (also known as Cloudflared) and IPsec. The solution balances ease of use with zero trust security, offering an optional dedicated virtual machine (VM) setup to facilitate the Cloudflared solution for pentesting on internal assets. Customers also have the flexibility to install and self-manage Cloudflared on their existing or new endpoints (servers).

Understanding Cloudflared and IPsec in Gateway INT Context

Cloudflared is a command-line tool that creates secure tunnels to Cloudflare's network. This allows safe and fast access to internal applications without internet exposure. 

In Gateway INT, Cloudflared encrypts and securely routes all security testing traffic through a ZTNA infrastructure, supporting specialized pentests that require evaluation or network segmentation and other forms of testing that require testing from within an internal network. 

IPsec (Internet Protocol Security) is a suite of protocols that secure internet communication by authenticating and encrypting each IP packet. 

In Gateway INT, IPsec adds another layer of encryption and security for traffic between internal networks and security researchers, protecting sensitive data and providing continuous proof of testing. 

 

Key Benefits

Program-specific Control and Visibility 

The Control View manages who can access the program and assets. Gateway allows seamless setup, pausing, and resuming of access for researchers, applied on a per-researcher or overall program level. Any changes trigger email notifications for both paused and resumed actions, with filtering and search capabilities for streamlined management. 

INT Advantage: Provides controlled bug bounty programs with granular reporting through Cloudflare Tunnel, ensuring proof of testing activities and transparency, while maintaining robust security and compliance.
 

Allowlisted IP Addresses

Allowlisted IP addresses are assigned closest to the asset location to reduce latency and improve performance. The Settings view includes separate tabs for Hackers, Pentesters, Triagers, and Program Admins, along with the ability to pause, resume, and filter actions with a single click. 

INT Advantage: Maintain program-specific control over all your assets with 24/7 IP allowlisting monitoring and the ability to pause testing as needed.

Download Log View and Real-Time Log Stream

The Log Management feature, available for the Cloudflared solution, facilitates downloading a zip archive containing HTTP, session, and network logs for incident investigation and hacker activity analysis. It also supports setting up a real-time log stream to various cloud storage destinations for SIEM integration, reducing the typical 20-minute lag time.

INT Advantage: Ensures regulatory compliance with laws like GDPR, HIPAA, and SOX by providing controlled access and comprehensive logging, and enhances timely and efficient data analysis for improved security monitoring.

Security Researcher Activity Control via Activity Logs

The Activity Logs offer visibility into actual security researcher activity. They detail which researchers, Program Admins, and Triagers are accessing URLs, and filters and date ranges are available to streamline information access. 

INT Advantage: Precision monitoring distinguishes between legitimate security researcher traffic and genuine threats, reducing security alerts.

Data-driven Engagement Analytics

The Analytics view specific to Gateway provides key insights to drive engagement, understand asset touch frequency, and refine your program. It includes information on active hackers, top contributors, overall activity, and asset requests per program.

INT Advantage: Advanced engagement analytics allow you to view, analyze, and download data to inform data-driven strategy adjustments and demonstrate program ROI.

Effortless Internal Network Pentesting

Providing restricted access to a testing environment, whether it be an internal application or a restricted sandbox, is always a tricky part of a pentest. For pre-release web application features, customers often need to limit access to authorized testers only. Traditionally, this involves significant adjustments like modifying firewall rules, adding VPN accounts, and granting access to virtual desktops, which can ironically compromise security and impact pentester productivity due to slow network access and cumbersome configurations.

HackerOne's Gateway, powered by Cloudflare's WARP technology, streamlines this process by creating a Zero Trust tunnel that connects pentesters securely to target assets without needing to collect multiple IP addresses. Organizations still adjust firewalls but avoid the complexity of managing numerous IPs. The WARP client on testers' endpoints authenticates their identity and device, allowing easy granting, revoking, and auditing of access.

By providing seamless access to virtual desktops or VDI/VM environments, Gateway delivers higher-quality pentest results. Pentests are often on tight deadlines, and Gateway's well-documented, performant, predictable, and repeatable solution addresses the urgency and security trade-offs typically associated with setting up access. This results in a more secure and productive pentesting process, aligning security priorities with operational demands.

Gateway INT enhances internal network security by enabling pentests that simulate real-world attacks. This latest addition to Gateway offers:

• Self-Managed Configuration Using Cloudflared: Organizations can configure the Cloudflared tunnel independently, ensuring encrypted and protected traffic without the complexity of VPN setups.
• Gateway INT Virtual Machine: This provides a virtual machine (VM) pre-configured for Gateway INT secure tunnel compatibility and loaded with an up-to-date toolkit so assessors are ready to start thorough testing within your network. This simplifies the process and ensures all security measures are in place from the start.

With the option to adopt a VM, Gateway INT facilitates pentesting on internal assets. This solution replaces the need for sending physical devices for internal network pentests and setting up individual VMs for pentesters, streamlining the entire process for both security teams and testers. The combination of Gateway VPN/Tunnel and Gateway VM ensures end-to-end support for accessing the network and conducting thorough testing from within.

Looking Ahead

This blog serves as an introduction to Gateway INT. As we observe how our customers use the solution, we continuously seek opportunities to make improvements and enhance the user experience. In upcoming posts, we will explore:

• Details of internal network pentesting and best practices.
• Detailed use cases for private bounty programs.

Get Started With Gateway INT

Ready to enhance your precision for internal network security? Meet one of our security experts to see HackerOne Gateway in action. For more information and product documentation, visit our Gateway parent page and the Gateway internal network testing page.

"Your focus determines your reality." 
— Qui-Gon Jinn, Star Wars: Episode I - The Phantom Menace (1999)

Securing both external and internal networks against sophisticated threats is a top priority in today’s increasingly complex digital environments. Traditional security measures often lack the essential visibility and control over internal assets, leaving organizations vulnerable to hidden threats. This gap is particularly concerning for compliance-intensive environments, where protecting sensitive customer and business data is critical. Organizations need a comprehensive solution to manage and secure internal network access while maintaining operational simplicity and compliance.

HIPAA regulatory standards outline the lawful use, disclosure, and safeguarding of protected health information (PHI). Any organization that collects or handles PHI must comply with HIPAA rules. The HIPAA legislation is based on five rules, the first three of which deal directly with protecting PHI:

• Privacy: Prevention of customer data being shared with any one or any organization without obtaining the required permissions.
• Security: Establishment of safeguards to protect data from being accessed inappropriately or inadvertently. Protections fall into three categories, and covered organizations must:
  • Administrative – have knowledgeable staff and effective processes in place.
  • Technical – have IT tools for control of data, including encryption and authentication.
  • Nontechnical – have facilities in place that deter physical theft.
• Breach Notification: Prompt reporting of any breach to the Department of Health and Human Services, and the inclusion of reporting requirements in all contracts with business associates such as billing agencies or other third-party entities performing work involving PHI.
• Transaction: Use of specific codes for sharing data that ensure the privacy and accuracy of medical records and PHI.
• Identifiers: The sharing of PHI only with other HIPAA-recognized organizations using unique identifying numbers.

The Importance of HIPAA and HITRUST Compliance

Without HIPAA, healthcare organizations are under no legal obligation to protect PHI or to share data with other organizations upon request from the patient. Through HIPAA, healthcare organizations must establish strict security controls to protect PHI and have staff trained in PHI protection and handling. They must also share patient data upon request with other HIPAA organizations. To achieve HIPAA compliance organizations must prove to an auditor that they have effective controls and policies in place.  With HIPAA, patients have assurance that medical organizations they deal with are taking steps to protect their PHI and will share that data upon request. 

While HIPAA specifies rules for protecting PHI, it does not prescribe how to achieve compliance, or provide  a certification program. That is why implementing HIPAA standards can be complex and confusing. To make it easier to achieve compliance, the Health Information Alliance Trust (HITRUST), a private not-for-profit company, developed the HITRUST Common Security Framework (CSF). HITRUST is a trusted official certifying organization, and its HITRUST CSF helps organizations design, deploy and manage their security compliance programs with a single streamlined framework based on HIPAA rules. In short, HIPAA lays out the rules and HITRUST outlines how to comply with them. 

To receive certification, an independent auditor assesses the organization’s compliance with applicable HITRUST requirements.  A successful HITRUST assessment and certification can be used to demonstrate HIPAA compliance. 

Achieve HIPAA and HITRUST to Protect Your Health Data with HackerOne Pentest

Data security is at the core of HIPAA, and pentesting plays a crucial role in helping organizations achieve HIPAA and HITRUST certifications. Pentesting identifies cyber security vulnerabilities that can affect data, with the testing results informing remediations. It validates the effectiveness of security controls and demonstrates to regulators that your organization is proactive in protecting data.

HackerOne Pentest offers a comprehensive approach to help organizations achieve and maintain HIPAA and HITRUST compliance through rigorous pentesting::

• Safeguard PHI Security: Our pentests meticulously examine controls around Protected Health Information (PHI), verifying that they meet the stringent requirements of the HIPAA Security Rule. We assess the effectiveness of access controls, encryption mechanisms, and other security measures designed to protect PHI from unauthorized access, modification, or disclosure. Additionally, our pentests are designed to simulate real-world attack scenarios that can uncover misconfigurations, unpatched systems, and many other flaws that could potentially lead to data breaches.
• Leverage Experienced Pentesters: The HackerOne Delivery Team assigns seasoned, HIPAA and HITRUST-certified pentesters who possess deep expertise in healthcare security. These experts assess your organization's security posture against the comprehensive standards set forth by HIPAA and HITRUST. By identifying vulnerabilities and misconfigurations, we provide actionable recommendations to strengthen your security controls and achieve compliance.
• Comprehensive Reporting: Upon completion of our pentests, we deliver detailed reports that articulate the identified vulnerabilities and their potential impact on HIPAA and HITRUST compliance. These reports serve as a roadmap for targeted improvements, enabling your organization to prioritize remediation efforts and demonstrate to regulators and stakeholders that you are proactively protecting sensitive health data.
• Real-Time Results on the HackerOne Platform: The HackerOne platform provides organizations with real-time visibility into the pentesting process and results. Through the platform, customers can track the progress of the pentest, review findings as they emerge, and collaborate with the pentesters and the HackerOne team to address identified vulnerabilities promptly. This real-time access ensures that organizations can take immediate action to mitigate risks and maintain HIPAA and HITRUST compliance.

To learn more about how to use pentesting to address HIPAA compliance, contact the experts at HackerOne today.

Healthcare records are a prime target for malicious actors. Health data has a higher value and longer shelf life than other data types and can be used for a variety of purposes including extortion, medical fraud, and prescription purchasing. In 2023 there were 725 large security breaches in healthcare with over 133 million breached records. To help safeguard medical information, the U.S. government established the Health Insurance Portability and Accountability Act (HIPAA), a federal law that sets the standard for protecting sensitive patient data in the U.S.