×
TestArmy ebook QA trends 2019

Be sure to download our new report and follow the latest trends in QA, Cybersec, IoT, DevOps and more!

DOWNLOAD

Case Study

National Information Processing - Security testing

About the client

National Information Processing is a state-owned institution that gathers and shares complex data concerning national education. IT also provides with IT systems that support the development of science and higher education in Poland.

Client’s need:

A public institution cannot allow any security breaches, so every system we’ve audited had to be thoroughly verified for flaws and misconfigurations. Those systems cooperate, store important information about Polish science and personal data. As they operate in an environment vulnerable to malicious attacks, they had to undergo acceptance tests.

Scope of the project:

We were contracted to run a security audit for 5 systems developed by NIP:

  • Navoica – free e-learning and online courses platform
  • POL-on – integrated information system containing data related to science and higher education
  • ORPPD – a database of defended thesis
  • Polish Science Bibliography – a catalogue of Polish researchers
  • Integrated Science Service System – Financial Stream Servicing – a system designed to register and service science funding requests, that composes of 8 modules

The process

Team

5 cybersecurity specialists working from TestArmy Group SA headquarters and partially in client’s office

Project length

23 weeks – finished on 24.05.2019

Value

184 500 PLN

Stage 1

For every system, we conducted penetration tests in which our specialists performed a simulation of breaking into systems in a black box method (without knowledge of source code and systems’ configuration) and identified security system’s weak spots.

We used automatic and manual methods or running the audit to check systems for vulnerabilities, such as:

  • SQL Injection
  • XML Injection
  • XSS (Cross Site Scripting)
  • CSRF (Cross Site Request Forgery)
  • Code Execution
  • Insecure Communications
  • Source Disclosure
  • Path Traversal
  • DoS (Denial of Service)
  • File Inclusion
  • Web server’s SSL mechanism security
  • Broken Authentication and Session Management
  • Authorization Bypass
  • Information Leakage
  • Deserialization of untrusted data

We’ve also analyzed authentication methods and performed external devices analysis. We used OWASP Vulnerabilities List to specify the type of attacks.

Stage 2

We performed a thorough white-box analysis of the systems. We focused on technologies used, possible vulnerabilities and worked on finding newer, safer electronic solutions.

We analysed:

  • systems’ and network documentation
  • the technical area of systems and their informatic environment
  • correctness and comprehensiveness of security infrastructure set
  • effectiveness of security solutions
  • IT systems for threats such as network attacks, data transmission hazard, application threats, communication threats, technical malfunctions, cryptographic threats and human errors

 

We analyzed source code and technologies used in each system, such as:

Javascript | MongoDB | Python | Open Edx | Apache Kafka | Java | Spring
KeyCloak Java | Spring Security | LDAP | MySQL | Angular | TypeScript
Lucene | ElasticSearch | Oracle | Oracle Business Intelligence EE
Oracle Data Integrator | Hadoop | Spring Boot | Apache CXF | Java 8
Struts 1.3 + JSP | JSF2/EJB/CDI + PrimeFaces | WildFly 10 | Oracle 12c

 

In the last stage of the audit, we performed control tests to check the installation and configuration correctness for the relevant IT systems.

The control consisted of:

  • Network layer audit
  • Operational systems layer audit (servers, matrices, libraries)
  • Database layer audit
  • Penetration tests performed inside the client’s office, to identify the possibility of successfully breaching the security systems from NIP’s HQ.

Results

We’ve tested

  • Almost 3 thousands unique subpages/forms
  • Over 5 million lines of source code
  • Over 160 types of users with different privileges

Security audit outcomes

  • We’ve gathered information about existing vulnerabilities and weaknesses in the security area of IT systems, network and IT environment we audited
  • We performed a reliable assessment of IT systems data security
  • Provided the client with a complex summary report wit suggestion of solutions to raise the systems’ security level. It serves as the basis for their development.

Security testing

Security Audit of 5 systems developed by National Information Processing. The tests were conducted in black-box and white-box method with a thorough security assessment.

Automation

Test automation and performance testing of a British service for managing client's complaints and facilitating client-business communication.

TestArmy YachtLife Logo

QA

Functional testing of an app for a luxury yacht charter. Due to the high profile of users, the highest quality of the product must've been guaranteed.

Philips-logo

QA

Functional and UX testing of innovative Philips Sonicare toothbrush and a dedicated mobile app used for measuring progress in taking care of user's oral hygiene.

Testing – case study neducatio

Fuctional

Testing of a SaaS educational app that uses cloud solutions. TestArmy specialists were supporting the client in functional testing and automation.

logo yves

E-commerce, UX, Functional

Functional testing and usability testing of the Yves Rocher e-commerce website aimed at improving the user's experience and increasing the site's user-friendliness.

TestArmy figo

Crowdtesting

Crowdtesting with testers from different countries, that used their own bank accounts to support us in testing a new mobile payment app.

Do you need a free quote?

Write to us about your product
and we will take care of the rest.

QUOTE A PROJECT

Do you have additional questions?

SEND MESSAGE