Offensive Security Team Updates (23-27 Sept)
Progress
- Product security vulnerability assessment & research
- Cloud infrastructure security assessment
- Corporate IT infrastructure security assessment and penetration testing
- On progress to compile the report
- DevOps infrastructure security assessment and penetration testing
- Found another vulnerable Jenkins (2 instances) used by QA team
- Third party vulnerability assessment
- Checked Traveloka administrator account security (Google Suite / Slack)
- Denni Gautama account (one of the admin) is still active and not secured by 2FA
- 3 of 11 administrator account are not secured by 2FA
- 5 of 11 administrator personal account were leaked and can be found in Haveibeenpwned or Dehashed
Plan
- Compile all deliverables
- Preparing for Q4
Problem
- Some of the teams were not responsive when we reported the security vulnerability
- Already discussed with GRC about governance and SLA enforcement
People
Misc
- Preparing for internal CTF in Q4.