SustaiNet Manual Web Application Security Audit and Assessment
The client is one of Canada’s premier suppliers of software designed to manage public consultation and stakeholder engagement projects, as well as online community engagement initiatives and public policy discussions.
The client provides configurable ‘out-of-the-box’ solutions to a variety of organizations to manage stakeholder input, issues and concerns in many projects and initiatives across Canada.
Our client was looking for a QA partner to assess the security of a web-based solution they had implemented.
The client needed a QA team with extensive experience in information security standards and practices that could meet deliverables in a short timeframe. This team had to be knowledgeable about prevalent security threats and be able to practically rank the level of these threats.
The client also required a simple but comprehensive report describing the security threats and issues, so their development team could take further actions accordingly.
– Team had to quickly learn the new software.
– Vulnerabilities had to be identified.
– Methods of attacking had to be identified.
- Learning the web application and arranging secure access for testing.
- Manual security testing.
- Reporting issues and creating action plan.
- Verification that issues are fixed.
How Optimus Helped
The OptimusQA team first familiarized themselves with the client’s web application. We identified the best approaches for launching security attacks on the website in order to best test the system’s security functions.
Our team decided upon a manual rather than tool-based testing approach. This allowed our team to test customized scenarios with better penetration. We carried out testing through a secure web application.
After the initial stages of testing, our team created a report containing detailed descriptions of the issues found. These issues were given an impact rating and a suggested action plan.
Our client addressed the initial issues the OptimusQA team uncovered. We followed up by verifying that the issues from our first round of testing had been fixed and completed the project with a final report.