The Gold Systems Product
Gold Systems, Inc. builds self-service IVR, speech recognition, and text-to-speech solutions for Global 1000 companies. In the summer of 2005 Gold Systems released a self-help voice application that allows users to reset their own passwords, avoiding costly calls to the help desk. Security First
Security is critical for any application that deals with passwords, especially one that allows password resets. Knowing this, Gold Systems looked to Applied Trust for help in architecting and auditing its product. Using industry IT security standards as a foundation, Applied Trust advised Gold Systems on an appropriate architectural approach and developed a formidable testing regimen for the product. The breadth of security testing ranged from social engineering tactics, such as trying to force the application to provide user information through impersonation, to application architecture, exception handling, credentials management, interfaces, and data encryption levels across workstations, servers, and network traffic. | As an example of the security testing regimen, the product platform was examined for common and known vulnerabilities, both in the application specifically developed by Gold Systems as well as in ancillary components, such as the underlying operating system, web server, and speech server. It was tested against denial of service (DOS) attacks to ensure that unwanted behavior would not result from an attack. And encryption levels were tested at a variety of layers within Password Reset. Database encryption, network traffic, and cached user data such as cookies were tested to ensure that sensitive information was handled appropriately, both in transit and at rest. Not all attacks come on a packet or system level, however. Many threats are in the form of people that try to trick the system through their interactions with it. Behavior of the product in unexpected or error situations was evaluated to ensure predictable, desirable behavior. | "Security is paramount to the success of this product. Customers need to know, for certain, that only authenticated and authorized users will be able to access and change passwords. Applied Trust's knowledge, experience, and expertise were critical to developing this aspect of the product. The Applied Trust team members got their hands dirty to understand and solve problems with our team. Their feedback during testing helped shape the final product release. They provided exceptional value from beginning to end in this engagement."
- Herb Morreale, CTO, Gold Systems Applied Trust's engineers have a wide array of technical certifications, including CISSP, ISSAP, ISSMP, CCIE, and MCSE, and they are well-versed in helping organizations bring their infrastructure or products up to speed on security in a practical, cost-effective manner. |
