Every system has vulnerabilities that can lead to a loss of data protection or limited availability of the platform (or even of data). But if you take the right precautions, you can identify and eliminate them yourself before they become apparent during use and develop into a problem. One suitable measure for this is so-called "penetration tests". Kiwigrid has already conducted several penetration tests with external providers in the past. The goal is to detect and close existing security gaps in time. In this blog, we explain what we have learned from this and which measures we use to detect and fix security-critical aspects at an early stage.
The KiwiOS platform undergoes selective penetration testing
Unlike tests that check the quality and availability of the system, a penetration test is about testing the security of the platform and finding out where hackers could get into the software.
Penetration tests are always performed at Kiwigrid whenever major changes have been made to the platform. Most recently, for example, this was the case when the Kiwigrid platform fully migrated to the Google Cloud. However, even if no major changes have been implemented over a long period of time, an IoT platform is always evolving and it can be useful to test it for security vulnerabilities. Therefore, the next penetration test is already being planned for this year.
Procedure of a penetration test
Penetration tests are deliberately not carried out by Kiwigrid employees who already know the platform well, but by external researchers who look at the system from a black box perspective. Kiwigrid sets up normal user accounts for these external researchers. This means that the researchers do not receive any internal access, but have exactly the same access rights as end customers.
The time period in which a penetration test is performed depends largely on the system that is being tested and can therefore vary greatly. The last penetration test conducted at Kiwigrid was scheduled for approximately 4 weeks. At the end of the test period, the researchers who tested the system provide a report. This report includes all vulnerabilities found and can then either be distributed only internally or made available to the public for full transparency.
Types of penetration tests
There are two different types of penetration tests:
1) A guided security test can be done, based on the OWASP Top 10 list - a ranking for security risks and attack vectors. The list is maintained and regularly updated by the namesake non-profit organization Open Web Application Security Project (OWASP).
2) The second option is a community test. For this, globally distributed security testers who are certified for an external penetration testing platform are deployed to the system. A well-known provider of this crowd-based approach is the crowdsourcing security platform Bugcrowd. Kiwigrid's most recent penetration test was conducted in cooperation with Bugcrowd as a community test.
Those who find weak points are rewarded
The researchers, who test the system on behalf of an external provider, are incentivized by a so-called "bug bounty". This refers to a sum of money that is paid out for each vulnerability found in the system. The more serious the bug is, the higher the reward for the researcher. Bug bounties are also offered by larger software companies to receive feedback from the community on bugs in the system. Google, for example, has announced a bug bounty by default. Anyone who finds security holes in Google's software and reports them to Google first can earn a lot of money.
At Kiwigrid, bug bounties are only awarded to the contracted researchers as part of penetration tests. Kiwigrid sets a budget for this in advance with the external penetration test provider. The errors found in the system (bugs) are assigned to different severity levels by this provider. Bugcrowd has developed its own classification system for the severity of vulnerabilities, which is used as the basis for calculating a bug bounty. Each bug can only be found once - whoever finds it first gets the bounty.
What we have learned from past penetration tests
Past penetration tests have on the one hand pointed out vulnerabilities in our system, which we have subsequently remedied immediately. On the other hand, we have also gained general insights from the tests performed. The penetration tests have shown that focusing on standard technologies can significantly reduce system errors. This is one of the reasons why KiwiOS is now based on the Google Cloud Platform. Google's system is continuously tested by numerous experts for vulnerabilities and security holes and therefore offers particularly high security and stability. With regard to our own system, our microservice infrastructure also makes a decisive contribution to the security and robustness of our system.
With KiwiOS, safety-critical aspects are continuously monitored
In addition to selective penetration tests, Kiwigrid also conducts continuous security monitoring. To supplement the penetration tests, we use tools that help us to quickly identify and eliminate statistically known security vulnerabilities. Security monitoring is carried out directly at the development level, so that potential errors can be avoided from the outset. Among other things, we use publicly available lists that detail the security vulnerabilities of specific frameworks or programming languages. Special tools help to quickly identify these security gaps in one's own system. Such tools are also used by Kiwigrid to continuously monitor and analyze critical network paths.