Security
Wink Security Overview Document
Section titled “Wink Security Overview Document”Last Updated: September 7, 2024
Version 1.0
Purpose and Scope
Section titled “Purpose and Scope”As part of our ongoing commitment to security and protecting user data, we conduct regular penetration testing on our web application. This document outlines our testing methodologies, provides a summary of findings, and highlights our approach to continuous security improvement.
This document will be updated as new reports are produced or when significant changes occur.
Domains in scope:
*.wink.travel
*.trippay.io
Testing Frequency and Schedule
Section titled “Testing Frequency and Schedule”Our penetration tests are conducted on an annual basis, with additional tests scheduled as needed following significant updates to the application or infrastructure. This regular testing cadence ensures we stay ahead of evolving threats and maintain a secure environment.
Testing Methodologies
Section titled “Testing Methodologies”Our penetration testing is comprehensive and covers a wide range of security aspects, including but not limited to:
- OWASP Top 10: Our tests specifically target the most critical security risks, such as Injection, Broken Authentication, and Cross-Site Scripting (XSS).
- Black Box and Grey Box Testing: Depending on the scope, our team utilizes these methodologies to simulate both external and internal attack scenarios.
- Automated and Manual Testing: We use Burp Suite Pro, a leading security testing toolset, to conduct automated security scans and to aid manual testing techniques to identify complex vulnerabilities and get the best coverage we can. For more specific vulnerability identification, some specialized tools are used eg. SQLmap.
Summary of Findings
Section titled “Summary of Findings”The following is a high-level summary of our most recent penetration testing report:
- Total Vulnerabilities Identified: 2
- Severity Distribution:
- Critical: 2
- Types of Vulnerabilities Detected:
- Broken Access Control
- Insecure Design
For detailed findings, please refer to the full report.
Risk Ratings and Impact
Section titled “Risk Ratings and Impact”Both of the found vulnerabilities are rated as critical since both of them could have had severe financial impacts. The first one allowed a malicious authenticated user to get control of another company’s Trippay payment account. The second vulnerability allowed a malicious user to modify the amount of payment required for a booking.
Remediation and Mitigation Efforts
Section titled “Remediation and Mitigation Efforts”We have taken the following steps to address the identified vulnerabilities:
- Immediate Patches: The critical vulnerabilities have been patched within 48 hours of discovery.
- Code Review and Hardening: Development team has implemented additional security controls based on our recommendations..
Continuous Improvement
Section titled “Continuous Improvement”Penetration testing is part of our broader strategy for continuous security improvement. Findings from each test guide our security policies, influence development practices, and drive enhancements in our security architecture.
Team Expertise
Section titled “Team Expertise”Our penetration testing is conducted by an in-house professional with extensive experience across various projects and industries. Using leading tools and methods, our expert ensures our application is thoroughly tested against the latest security threats.
Commitment to Security
Section titled “Commitment to Security”We are dedicated to maintaining a secure application environment for our users and stakeholders. Our ongoing efforts in security testing and improvement demonstrate our commitment to protecting against evolving threats.
Report Access and Updates
Section titled “Report Access and Updates”This document will be continuously updated as new penetration test reports are issued. To access the full report, please contact us through the email below. Future updates will include newly identified vulnerabilities, remediation efforts, and adjustments to our testing methodologies.
For further inquiries, please contact [email protected].