Professional Documents
Culture Documents
Skinhub Attestation Letter
Skinhub Attestation Letter
com Application
Assessment Summary
Prepared for:
Skinhub
Prepared by:
TABLE OF CONTENTS
III. SUMMARY..................................................................................................................................... 2
Stroz Friedberg LLC, an Aon company, is a specialized risk management firm built to help clients solve
the complex challenges prevalent in today’s digital, connected, and regulated business world. The firms
focus is on cybersecurity, with leading experts in digital forensics, incident response, and security
science; investigation; eDiscovery; intellectual property; and due diligence.
Stroz Friedberg, LLC, an Aon Company (“Stroz Friedberg”)1 was engaged by Skinhub (skinhub.com), to
conduct application security testing and source code analysis for the Skinhub (skinhub.com) application.
The fieldwork was conducted between March 14th through March 27th, 2018. The purpose of this
verification was to certify the data, codebase and audit logs of production, and that there has been no
tampering of outcomes by Skinhub (skinhub.com). Additionally, the platform was tested for both common
and sophisticated vulnerabilities using the standard Stroz Friedberg application testing methodology. The
engagement was time-boxed to 10 days.
During the engagement, Stroz Friedberg did not identify any evidence of tampering on behalf of Skinhub
(skinhub.com) employees that would lead to unfair outcomes for Skinhub (skinhub.com) users. Any
specific details related to security issues identified during the assessment, along with suggested steps to
correct each issue, have been communicated directly to Skinhub (skinhub.com) personnel.
II. PROCESS
Stroz Friedberg uses a combination of automated tools and manual penetration testing to search for
missing, broken, and improperly implemented application security controls. The verification targets both
sophisticated and common vulnerabilities, including the OWASP Top Ten (http://www.owasp.org) and
other flaws typical of similar applications. As part of the service, the assessment approach was reviewed
with appropriate Skinhub (skinhub.com) personnel and the scope, goals and objectives were confirmed
by Skinhub (skinhub.com).
Artifacts provided by Skinhub (skinhub.com) were manually analyzed for any indication of tampering,
including backdoor code, unauthorized modification of database entries, unauthorized modification of
code. Additionally, the code-base was analyzed to determine if the randomness used by the application is
sufficient to produce fair outcomes for all Skinhub (skinhub.com) users.
1
Stroz Friedberg, LLC, an Aon Company and its subsidiary Gotham Digital Science, collectively referred to as “Stroz
Friedberg,” were actively engaged in efforts required by this matter.
III. SUMMARY
During the review of artifacts provided by Skinhub (skinhub.com), Stroz Friedberg did not identify any
indication that Skinhub (skinhub.com) employees has tampered with back-end data or application code in
order to produce unfair outcomes for users. Based on observations made by Stroz Friedberg at the time
of this engagement, the outcomes of Case Opening and Item Upgrades functionality appear to be fair and
random according to the odds listed on the Skinhub website.
Eric Friedberg
Co-President, Stroz Friedberg
The following individuals from Stroz Friedberg conducted the Skinhub engagement.
EXPERIENCE § Web and mobile application security assessments for clients in a wide range
of industries including the financial, technology, and heavy industry /
manufacturing sectors
§ Internal, external and wireless network penetration tests for fortune 500 clients
including some of the largest companies in the oil, gas & energy industry
§ Performed social engineering assessments including voice phishing, spear
phishing, and physical security for Fortune 500 companies
§ Conducted SCADA network segmentation assessments to identify potential
attack paths to restricted process control networks
§ Security testing for process control devices such as programmable logic
controllers and remote terminal units
SKILLS § Common network penetration testing and vulnerability analysis tools and
techniques
§ Application security assessments using industry standard tools such as Burp
Suite and OWASP ZAP
§ Experience with industry standards such as NERC-CIP
§ Understanding of SCADA network components and designs as well as
industrial control system protocols
§ Common security issues in control system implementations for a wide range
of industries
§ Threat modeling specific to the utilities and oil, gas & energy industries
§ Excellent written, public speaking, and presentation skills
Stroz Friedberg, an Aon company, is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital,
connected, and regulated business world. A global leader in the fields of cybersecurity, with leading experts in digital forensics, incident response, and
security science; investigation; eDiscovery; and due diligence, Stroz Friedberg works to maximize the health of an organization, ensuring its longevity,
protection, and resilience. Founded in 2000 and acquired by Aon in 2016, Stroz Friedberg has thirteen offices across nine U.S. cities, London, Zurich,
Dubai, and Hong Kong. Stroz Friedberg serves Fortune 100 companies, 80% of the AmLaw 100, and the Top 20 UK law firms. Learn more at
https://www.strozfriedberg.com/.
This document and/or its attachments may contain information that is confidential and/or protected by privilege from disclosure. If you have reason to
believe you are not the intended recipient, please immediately notify the sender by reply e-mail or by telephone, then destroy this document, as well as all
copies, including any printed copies. Thank you.