WSO2 was founded in August 2005 by leaders in Web services standards and Open Source software. An innovative Open Source technology company devoted to building Web services middleware, offering leading products, support and a variety of complementary services. WSO2 is a global corporation with offices located in USA, UK and Sri Lanka. With their vast experience in all aspects of SOA, Web services and open source, WSO2 offers the highest quality of services in consulting, custom development and sponsored open source development.

It has always been a business imperative for them, as a web services company, to devote significant efforts and resources to ensure system security and reliability. In light of this investment they further engaged in an initiative to understand their network's current vulnerabilities and mitigate such vulnerabilities. At times WSO2 was unable to meet business service levels due to their heterogeneous IT infrastructure and the lack of a standardized infrastructure management processes.

The WSO2 board recognised the need to conduct a demanding information penetration test and a complete vulnerability assessment and to outsource their IT management and help desk functions to a qualified service provider.With the overall number of attacks on the web continuously on the rise, and customers becoming more and more demanding of proof of security while at the same time demanding 24x7 availability from their service providers, WSO2 needed to meet these challenges to maintain their competitive edge. In the pursuit of ensuring their system security and uptime was of the highest standards WSO2 choose Eureka Technology Partners, as the best partner.

The Challenge Gauging the security status and laying down the systems and processes needed to integrate WSO2's people, processes and systems into a solution proved to be a significant challenge. To overcome this, Eureka's Information Security and Remote Infrastructure Management teams worked closely and intensely to identify vulnerabilities and to fundamentally shift IT support services to be proactive rather than reactive using ISO 20000 standards.

The Eureka Solution

Security Assessment (Pen test/VA)

Eureka's Penetration Testing and Vulnerability Assessment service is more than just a simple assessment or vulnerability scan. Eureka's Information Security (IS) consultants utilise their 25 years of collective experience, world class certifications and manual investigation techniques alongside tried and tested tools to identify and exploit vulnerabilities. As an initial step Eureka's Information security team conducted a 'Black Box' penetration test where we started with zero knowledge of the WSO2 network to evaluate their systems security against external hackers.

Next we conducted an Internal Penetration Test, carried out by gathering some basic information about the network. An internal user account with minimal access rights was used during the process to evaluate how vulnerable their system was against an internal hacker. This test exercise constitutes four phases, during which various tools and techniques were used to gain information and identify vulnerabilities within their IT systems and subsequent attempts to penetrate the network, were carried
out. Activities in these phases include:

Network mapping
Eureka's Penetration Testing team obtained much of the required information regarding WSO2's network profile, such as IP address ranges, and other general network topology through public information sources, such as internet registration services, web pages, and telephone directories. Vulnerability identification Eureka's Penetration Testing team undertook a comprehensive audit that assessed the WSO2 network using a multitude of tools to pinpoint vulnerabilities.

The audit was divided into two areas - a network assessment and a server assessment. The network audit focused on the connectivity, IP addressing & rule sets, firewall implementation and VPN. The server audit focused on the OS and the applications that were running on those machines - it looked at OS hardening / patch recommendations and at tools to harden the applications running on those servers (both local and US).

Exploitation
During this phase, system and user information was used to attack the authentication rocesses of the target systems..Potential vulnerabilities were systematically tested in the order of penetration and detection probability as determined by Eureka's penetration testing team.

Reporting
Once the comprehensive test scenarios were carried out the results are compiled in a final detailed report, which clearly indicated the level of security their present systems offered and where attention was required. This report clearly articulated out the recommendations to mitigate the identified vulnerabilities.

Remote infrastructure management

Eureka undertook the management of the WSO2's infrastructure from their internal staff. Initially we conducted an exhaustive study of the client's business requirements, existing technologies and current infrastructure to build a technology lifecycle model and a roadmap. A formal Service Level Agreement with an inbuilt Risk & Reward Framework was put in place and periodically reviewed and enhanced on mutual agreement.

The key to effective IT management is to see beyond individual devices and connections to get a snap shot of how each resource affects the applications and business processes it supports. As a result Eureka started with an inventory audit to identify and tag each device.Upon investigation our team found out that there initially was no process or mechanism to patch/harden their servers for critical releases, hot fixes and security updates. As a result, there was an inherent risk of virus attacks which could lead to downtime.

Therefore an automated patch server was implemented, which automatically checked the latest releases and deployed them on all Linux and Windows desktops and servers. All desktops were standardised thereafter, for stability and ease of administration. Today Eureka supports WSO2's infrastructure completely from our central help desk located in Colombo, Sri Lanka. All systems are monitored, protected and audited from this central location. WSO2's employees utilise Eureka's computerised trouble ticket systems for support requests effectively. Under our overall managed services framework, WSO2 now receives timely service level reports and information as and when changes are warranted and quarterly reviews are held to revise the scope and levels of service, as appropriate.

Leverage Eureka's Remote Infrastructure and Information Security Services
Eureka delivers world class Information Security and IT Infrastructure Management Services at affordable prices. 12 years of experience, the ITIL system of best practices, ISO 2000 standards and the Six Sigma problem solving methodology, backs up our service guarantee.

Qualified team
Eureka has a team of 70 with world class qualifications (that help clients reach their optimal security posture and comply with regulations irrespective of the industry in which they operate. This team delivers a comprehensive list of services such as Information Security Services, Network Management & Monitoring, Help Desk Services and Backup & Disaster Recovery.

Trusted relationship
We work with your key staff and the management to design an audit or RIM plan to fulfill your organization's security goals.

Special skills and tools set
Our experts combine proprietary and industry-leading assessment tools with an in-depth analysis of vulnerability data to evaluate and build an effective program that ensures both a secure and efficient platform to carry out your business operations.

< Back