Zooms fall from grace highlights the importance of Application Testing

With organisations across the globe suddenly transitioning to remote workforces due to the outbreak of Covid-19, the demand for video conferencing applications has gone through the roof.

One such video conferencing application which has made significant strides in new users and usage since the outbreak of Covid-19 is Zoom. However, this sudden surge in demand has shone a light on, and uncovered a number of security issues with the Zoom application, which has led toZoom pausing their current development plans to go back and fix these problems.

One of the best known threats which has made headlines is an action which has been coined as “Zoom-bombing”, this is where an individual can gain access to a video conference uninvited and cause disruption or simply listen in to corporate meetings.

The best way to prevent your meetings from being “Zoom-bombed” is to never share your personal meeting ID. Each Zoom user has a personal meeting ID (which is like your phone number) and is used to set up meetings. If this ID is leaked or misplaced people can use it to join your meetings. When creating meetings you are given the option to use your personal ID or generate a random one, you should always generate a random meeting ID as it will reduce your risk to “Zoom-bombing”. To add another layer onto this, always use a meeting password in Zoom. When setting up a meeting you are given the opportunity to require a password, ensure you always set a password. Once a password is set it will then be emailed out to all meeting participants and people can only join the meeting by entering the password.

Zoom’s recent meteoric rise in popularity has led many cybersecurity research groups looking into the security features and claims made by Zoom. Citizen Lab one such research body has been particularly critical of Zoom,after carrying out their own research, Citizen Lab discovered that not only was Zoom’s end-to-end encryption not actually end-to-end, but it also wasn’t as robust as Zoom had led people to believe. Zoom claimed in their own documentation that the app uses “AES-256” encryption for all their meetings, however, Citizen Lab have found that each Zoom meeting is encrypted using a single AES-128 key in ECB mode which is not recommended as patterns present in the plaintext are preserved during encryption.

A classis illustration of why ECB mode is not recommended. An image of a penguin (left) is encrypted in ECB mode and then visualised (right). Note that the outline of the penguin remains visible in the encrypted image.

Security flaws like these unfortunately tarnish companies reputations bringing in negative criticism at times when applications and tools are most sought after. If security testing by a third party is factored into development cycles it provides an impartial review of the security features and protocols so issues can be rectified during the development cycle and be validated as re-mediated.

The importance of Application Testing

The case of Zoom has highlighted that with software and applications becoming critical assets for organisations, strong robust security features have become a key influencing factor when deciding between various Software as a Service (SaaS) products. Proving security controls to vendors can speak volumes when trying to close a prospective client

To ensure a high level of security, manual testing is still vital, it takes specialised expertise and vast experience to go the lengths and breadths of an application to find serious threats and vulnerabilities which can often be missed by automated scans. Here at Secora Consulting, we can provide you and your clients with peace of mind with regards to the security features and protocols of your products, to avoid your company becoming the next Zoom reach out to us today.

watermark secora outline

Our services

All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.
We have arranged our services into four groups based on the objective of the tests.

Are your applications secure?.

With software and applications becoming critical assets for organisations, strong security features are critical. If you wish to investigate your own application security, our expert team is available to discuss this with you.