Cyrex joins forces with Jigstack to further enhance security through penetration testing
Earlier this year, Jigstack collaborated with the team at Cyrex for a full penetration and load test of our services, including the Lemonade platform. For those of you unfamiliar with Cyrex they are a company that specializes in secure software development and application penetration testing. They are a group of native cybersecurity professionals with a world-class understanding of programming languages and culture. Founded by award-winning digital security experts Mathieu Huysman and Tim De Wachter.Security Partnership
Cyrex was founded in 2015 with a vision to help drive innovation and creativity in the tech industry by helping develop and secure the applications that empower businesses to do and be more. The team’s unique blend of technical expertise and creative thinking led them to constantly push the boundaries of both cybersecurity and software development — combining their prowess in both to create bulletproof security solutions and reliable applications and software that withstand the test of time. Kaue, the Lead ETH Dev at Jigstack, worked closely with the Cyrex team during the full penetration and load tests of our services and had this to say about the experience: Working with Cyrex was an awesome experience all around. Even with time zone differences, communication was smooth and really easy, which is really important when working against a tight deadline. Cyrex’s analysis and tests were all precise and really well explained, without sacrificing agility or comprehensiveness. They also ended up being crucial for the security and performance of our platform, so I can easily say Jigstack is satisfied with the work delivered and we’re keen to work once again with such a talented team.Common Vulnerabilities
Over the course of Cyrex penetration testing, a variety of vulnerabilities were discovered in our services. These findings were sent to our team attached with a comprehensive breakdown as well as a list of recommendations to deal with each vulnerability. We were extremely impressed with the quality of the vulnerability review and recommendations they were able to provide us. There is no need to worry about protocol vulnerabilities now as we have already finished the integration of the recommendations to our products! To give a bit more detail of the testing at Cyrex, they look for common vulnerabilities such as:- Remote Code Execution
- SQL Injection
- Path traversal attacks
- File upload vulnerabilities
- Parameter tampering
- Access control flaws
- Transport layer security, Business logic, and Authentication flaws
- SMTP, Header, and JSON Injection
- XML Injection / Code Execution
- Re-entrancy Attacks
- Over & Underflow attacks
- Block Gas Limit
- Front Running
Load Testing
For those who are unaware, load testing is an orchestrated push of packets and user interactions onto a platform to see when and where a system struggles or fails given a certain load. The point of this is to test anticipated volumes of interactions to ensure our products and services won’t fault from usage. Cyrex has developed load testing scripts to simulate real-user behavior and tested a variety of functionalities. These included:- Account registration and login
- Activation of emails
- Campaign management (create, browse campaigns & transactions)
- Buying crypto tokens
Lemonade — Cyrex Connection
Cyrex determined that the overall security maturity of Lemonade is of high standard and will meet the risk appetite of any end-user. All suggested patches were implemented in a correct manner and the application and smart contracts were tested and validated thoroughly by Cyrex’s application security experts.
Cyrex performed a penetration test on the Lemonade web application, its API, and accompanying smart contracts. This test was performed from the 11th of February 2021 to the 16th of February 2021. During the penetration test, strict protocols, guidelines, and a unique workflow were followed. Different frameworks were integrated into this process flow which is in line with the ethical hacking procedures. The process involved an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities.
Below you can see a chart of the CPU usage required for the Lemonade platform during the STAK IDO. The more users that interact with the Lemonade platform, the higher the demand on the server. The CPU usage for Lemonade peaked at 174.48, with a total of 1024 CPUs entering the site simultaneously.
We were more than prepared for this launch as the interaction with the IDO only represents 17% capacity on Lemonades servers. As more tokens begin to launch through the use of Lemonade, and more interactions from various users, we will be adjusting the server/network requirements accordingly. Whether 1 token is launching or 100, we aim for security, ease of use, and robustness at all points in time for the Lemonade platform.