Introduction

As the complexity of digital environments increases and cyber threats constantly evolve, businesses and organizations are prioritizing security more than ever. Additionally, with the tightening of compliance requirements, the importance of security has become even more prominent. To meet these demands, the QueryPie team is dedicated to ensuring robust security for our Privileged Access Management (PAM) solution. Security is not just a feature of our product; it is a core value integrated into the development process from the very beginning through to the final deployment.

Based on these efforts, we have established a comprehensive security review process throughout the development lifecycle, ensuring that security is continuously scrutinized to maximize the safety of our product. The QueryPie security team has developed a systematic process to identify security vulnerabilities from various perspectives. Among the most crucial processes is our penetration testing process, which we will explore in this blog to highlight its importance and our approach.

QueryPie has established an internal In-House Red Team and operates a combination of continuous In-House penetration testing, a Bug Bounty Program, and external expert penetration testing consulting. This approach allows us to complement the shortcomings of each penetration testing method, creating a well-rounded security process.

One of the key procedures is the internal penetration testing conducted for every new version release, which is crucial for ensuring a secure product. Through this process, we are able to quickly identify and resolve potential threats to the product. Additionally, QueryPie’s Bug Bounty Program provides an opportunity for security researchers from around the world, as well as our customers who actively use QueryPie, to contribute to enhancing the security of our product. This initiative helps us repay our customers with a product that is more trustworthy and secure. Lastly, collaborating with external penetration testing experts is a vital component of our security validation. By leveraging the diverse experiences and perspectives of external experts, we are able to address vulnerabilities we might otherwise overlook.

QueryPie’s Multi-layered Security Approach

• In-House Penetration Testing: Internal security experts perform security testing to identify and address vulnerabilities in the product.

  • Expertise: Deep understanding of the product's internal structure and architecture.

  • Consistency: Repeated testing for every new version release.

  • Agility: Quick response to identified vulnerabilities through team collaboration.

• Bug Bounty Program: A program where external security researchers and customers participate in discovering vulnerabilities and receive rewards for reporting them.

  • Diversity: Wide participation from global security researchers and customers.

  • Creativity: Providing unexpected attack techniques and perspectives.

  • Cost-effectiveness: Efficient use of resources by rewarding valid vulnerabilities.

• External Penetration Testing Consulting: Independent security experts perform objective security assessments.

  • Objectivity: Vulnerability analysis from an independent perspective.

  • Up-to-date: Attack simulations reflecting the latest threat trends and technologies.

  • Credibility: Verified security evaluation results through certification by external experts.

The reason why we consider penetration testing to be so important is that automated tools alone are insufficient to detect logical vulnerabilities that could exploit the product's processes or rules. To effectively identify such vulnerabilities, it is necessary to establish a variety of security testing processes that can complement each other’s weaknesses.

Why does QueryPie emphasize the importance of security so much?

To revisit the starting point, PAM (Privileged Access Management) solutions play a crucial role in implementing a Zero Trust security architecture by managing critical access rights to various systems and databases. This means that if the data and systems managed by QueryPie are exposed to malicious attackers, the entire organization could face severe threats. Because of this significance, providing a product that users and customers can trust is our top priority, and as a result, we are consistently strengthening security. The QueryPie team believes that protecting our customers' data and systems is not just a responsibility but a promise to our customers. Therefore, QueryPie will never compromise on security and will continue to work tirelessly through thorough validation and penetration testing to build an even more robust product and environment.

QueryPie’s Penetration Testing Framework and Maturity Model

So, let’s first look at the penetration testing process and maturity level of QueryPie.

QueryPie Penetration Test Framework?

QueryPie has developed and operates a comprehensive penetration testing framework. This framework is built upon globally recognized standards such as NIST SP 800-115 and the OWASP Testing Framework, ensuring a more systematic and thorough penetration testing process. This framework is designed to maximize effectiveness during the limited internal in-house penetration testing time, enabling the efficient detection and analysis of vulnerabilities.

The framework standardizes the penetration testing process and clearly defines the activities at each stage to ensure consistent security verification. As a result, QueryPie maintains a high level of security with each product release, ensuring that any vulnerabilities discovered are effectively addressed. The QueryPie penetration testing framework consists of the following six stages.

QueryPie Penetration Maturity Model?

As the penetration testing process became stabilized within the organization during the security review phases of development, we created the penetration testing maturity model outlined below. This model serves as a means to measure our current level and establish a benchmark for continuous improvement. As a result, we have assessed QueryPie’s penetration testing maturity level as being at the Proactive stage. However, we are not satisfied with this level and are working toward elevating it to the Optimized stage by integrating with the DevSecOps pipeline. This integration aims to shift our security approach from reactive to proactive, and by combining automated penetration testing with AI-based threat detection systems, we expect to make security reviews and responses more efficient and consistent.

Furthermore, the transition to the Optimized stage is not merely a technological advancement. It represents QueryPie’s commitment to providing the highest level of security to our customers, maximizing the reliability of our products, and establishing a system that can stay one step ahead of emerging security threats.

In-house Red Team

The Red Team conducts internal penetration testing and checks vulnerabilities (*CVE, CWE, CCE) at every stage of the CI/CD pipeline. They also perform security reviews and provide guidance throughout the development lifecycle. Before each new version release, the Red Team follows the process outlined below, in collaboration with the QA team and bug bash sessions.

1. Pre-pentest Review: The PM team discusses the key features of the new version and the primary checkpoints.

2. Penetration Testing: Based on the pre-pentest review, the team prioritizes testing key features and conducts a comprehensive penetration test on all functions. (2 weeks)

3. Security Team Internal Review: Any vulnerabilities discovered are initially reviewed by the internal security team.

4. Sharing with Development Team & Assigning Responsibilities: Vulnerability information is shared with the development team, and specific issues are assigned to the responsible parties via Jira tickets for tracking and management.

5. Vulnerability Remediation Verification: Once vulnerabilities have been addressed, the Red Team member verifies the implementation and marks the vulnerability ticket as resolved.

*CVE : Common Vulnerabilities and Exposures
*CWE : Common Weakness Enumeration
*CCE : Common Configuration Enumeration

The tools and methodologies used by the QueryPie Red Team for testing are as follows. By employing these methodologies, the team standardizes testing, systematically evaluates the severity and priority of vulnerabilities, and establishes effective responses.

Diagnostic Tools

• Burp Suite

• Neuclei

• OWASP ZAP

• Nessus

• dnSpy

• Snyk

• Github Advanced Security