Gyroscope Security Audit 2018 August 29, 2018

View all articles from Gyroscope Development Blog

In late July 2018, Antradar has obtained the service of Cure53 to conduct a thorough security audit of the Gyroscope framework.

The full report can be downloaded here.

All the security fixes and design enhancements are reflected in Version 15.0 of Gyroscope. We took a good part of August to test deployments of previous versions and made sure that the public release of this security report would not jeopardize existing Gyroscope systems.

To End Users

If you are looking for a shinny certificate that says Gyroscope is bullet proof, well, this is not what is audit is about. However you might find it comforting to know that, even without patching, the existing systems' login screens cannot be bypassed. User groups cannot be elevated (with one exception in the multi-tenant setup, which, by far, there is only one instance). Also there is no injection scenario that leaks the database content.

However, as Gyroscope expands its user base, it can no longer be assumed that the interest of users are not misaligned, or even maliciously situated against the business owners. This is especially true with the introduction of the multi-tenant configuration. Such anticipation is precisely what prompted us to engage Cure53's expertise in the first place.

To Developers

The July audit has not only fortified the Gyroscope code base, but also set Antradar's programming practice onto a path that's better security minded. The biggest takeaway is that a system has to be secure by design, instead of relying solely on specific defense tactics, which can be missed by a careless programmer. Even a seasoned developer can have a moment of slipped mind.

In response to the audit, we have rewritten a large portion of the Gyroscope core. The most notable changes are password storage, user role management, report settings in the multi-tenant scenario, database querying mechanism and tools for enforcing security features such as gsguard and gskey.

Although the audit took 5 days, and a newer version of Gyroscope was ready in a matter of weeks, the road to better security requires ongoing efforts. We would like to thank Cure53 for steering us in the right direction. 

We will cover the changes and new features in Gyroscope 15.0 in the upcoming articles. Stay tuned!

Our Services

Targeted Crawlers

Crawlers for content extraction, restoration and competitive intelligence gathering.

Learn More

Gyroscope™ ERP Solutions

Fully integrated enterprise solutions for rapid and steady growth.

Learn More

E-Commerce

Self-updating websites with product catalog and payment processing.

Learn More