We live in an interconnected world and, therefore, we connect constantly to the digital universe through our computers, smartphones, or data centres. APIs (Application Programming Interfaces) play a big role in this as they allow different software systems to interact effortlessly and provide users with a smooth user experience. For example, we use APIs when streaming our favourite shows or checking our bank account balance. However, due to the role they play they also serve as gateways to sensitive data, making their security of utmost importance. By implementing robust security measures, we ensure that our data stays safe while we enjoy the benefits of an interconnected world!

The European Blockchain Services Infrastructure (EBSI) has demonstrated once again its commitment to security and operational excellence by conducting a specific type of security audit called a penetration test (commonly known as a pentest) of its APIs. This audit was performed in collaboration with Hacken, a leading blockchain security auditor. EBSI and Hacken had already previously collaborated in 2023 for a Smart Contract audit that EBSI passed with flying colours!

What is a security audit?

A security audit is a comprehensive evaluation of a system or application to identify and address potential security risks. For EBSI, this means thoroughly assessing components such as the APIs, code or web applications, to ensure their robustness against unauthorised access, data breaches, and other vulnerabilities. A successful audit enables EBSI to reinforce its defenses and maintain the integrity of its services.

What are APIs?

An API is a set of rules and protocols that allows different software applications to communicate with each other. APIs are fundamental to EBSI’s operations as they enable secure exchanges of information between EBSI’s systems and external applications, including those of trusted issuers of verifiable credentials. By exposing specific functions to approved users, APIs facilitate access to services such as data verification, identity checks, and credential validation. However, because APIs serve as entry points into EBSI’s infrastructure, ensuring their security is essential to prevent unauthorised access or data exposure. You can find EBSI's APIs here.

Who is Hacken?

Hacken is a blockchain security auditor established in 2017 in Kyiv, Ukraine, with a vision for transforming Web3 into a safer place. With more than 5 years of experience, hundreds of blockchain partners, and thousands of secured crypto projects, Hacken protects businesses and crypto communities worldwide with one of the most competitive suites of professional cybersecurity services.

What did Hacken do during its pentest?

Hacken brought its extensive experience in blockchain security auditing and penetration testing, using a combination of automated and manual tools to identify vulnerabilities. The audit was conducted using both black box (simulating an external attacker without prior knowledge of the system) and grey box (where some internal knowledge is provided to the testers) approaches to ensure a comprehensive assessment of the system.

Their process involved:

• Automated Scanning: Hacken employed advanced tools to check for common and emerging vulnerabilities in APIs and web applications.
• Manual Review: This phase involved detailed manual penetration testing to discover more complex vulnerabilities that automated tools might overlook, particularly those related to logic and process flaws.
• Threat Modeling: Hacken worked with the EBSI team to model potential attack vectors specific to EBSI’s operational environment.
• Reporting and Feedback: After the pentest, Hacken provided detailed findings, recommendations for remediation, and worked closely with the EBSI security team to address the identified vulnerabilities.

Pentest Findings and Results

Due to security reasons, we are unable to disclose the specific vulnerabilities identified during the pentest. However, Hacken’s assessment highlighted EBSI’s commitment to maintaining a secure and resilient infrastructure. Overall, the results of the pentest found EBSI's APIs to thoroughly secure.

Following the pentest, all identified areas were quickly secured by the EBSI team, with high-priority vulnerabilities receiving immediate attention. Measures were taken across the board to enhance security, and the recommendations provided by Hacken were promptly integrated to further reinforce the platform's defenses. You can read Hacken's case study on the pentest below:

Hacken's Director of Services, Luciano Ciattaglia, commented on the results saying:

"Following a thorough penetration test of EBSI's web APIs, security issues were identified and effectively addressed. The EBSI team demonstrated exceptional responsiveness and dedication in mitigating these issues, ensuring the platform operates with enhanced security measures. Their proactive approach highlights their strong commitment to maintaining trust and operational excellence, ensuring the highest security standards in the industry."

EBSI continues to concentrate its efforts into enhancing the network in order to deliver and manage a reliable, safe, and trusted infrastructure.

Looking Ahead

As EBSI continues to expand the use of blockchain technology to provide trusted public services across the EU, maintaining secure APIs and web applications remains central to its mission. The successful completion of this pentest builds on the work done in the past and serves as a reminder of EBSI’s long-term focus on providing a secure, reliable, and trustworthy digital infrastructure for Europe.