About Client:
Leading Online Insurance Application, a leading player in the insurance services space.
What Online Insurance Application had covered in the application testing processes when they initially contacted us and what they have achieved after they started using our software testing services.
QA Team: 1 Security Tester
Domain: Insurance
Project Length: Short-Term
BEFORE IMPROVEMENT:
- The application was pretty much stable functionality-wise with no critical and major bugs.
- No security tester on the project, as a result, no security or penetration testing was performed.
- Epic and stories were incomplete.
- No test strategy, test plan, test cases, or checklists.
- There was a lack of test documentation or confluence pages for knowledge transfer.
- No labels and references for security testing in the test management and bug tracking systems.
- No labels and references for security testing on the scrum board.
- The application was showered with major vulnerabilities issues such as SQL Injection, Security Misconfiguration, Broken Authentication & Access Controls, Sensitive Data Leaks, Hard-Coded Sensitive Credentials, Insecure CORS, CSRF (Cross-Site Request Forgery), XSS (Cross Site Scripting), Insufficient Logging & Monitoring, XML External Entities, Session Hijacking, Insecure Communications, Source Disclosure, Path Traversal, File Inclusion, and Insecure Deserialization of Untrusted Data.
- Releases were made with the major vulnerabilities issues.
AFTER IMPROVEMENT:
- Structured and formalized the application security and penetration testing process.
- Worked with Product Owner and created and updated detailed user stories with clear acceptance criteria.
- Created an attack surface mapping of the entire application with every detail of the URLs, parameters, components, and IPs that are being used in the application.
- Created detailed, comprehensive, and well-structured testing strategy, test plan, checklists, and confluence pages in conjunction with various sections that were mapped.
- Conducted web and mobile application security assessment and penetration testing against all the various components and reported multiple critical vulnerabilities.
- Performed separate penetration tests along with simulated attacks on the application using the black box method and identified vulnerabilities in the application.
- Used automated scanning and manual testing methods to test the application against various classes of vulnerabilities.
- Used the latest OWASP vulnerability list to determine the types of attacks.
- Updated the test management and bug tracking systems with appropriate security testing labels and references.
- Updated the scrum board with appropriate security testing labels and references.
- Educated the stakeholders about the risks and created a risk mitigation plan. The first cycle of the engagement involved identifying all the vulnerabilities in the application. Subsequently, leveraged the known vulnerabilities to further penetrate the application architecture and identify the true impact of the vulnerabilities.
- Collaborated closely with the dev team and stakeholders and provided detailed feedback and improvement suggestions.
- Created simple reports to document testing conducted and vulnerabilities identified.
- Planned the releases with rigorous vulnerabilities validation beforehand along with release notes.
- Provided a comprehensive report summarizing the vulnerabilities discovered, detailed exploitation instructions, and suggested solutions to mitigate the threats identified and improve the security level of the application.
- Participated in standups, sprint planning, sprint estimation, release planning, retrospective, and defect triage meetings.
0
+Stories Created
0
+Confluence Pages Created
0
%Application Coverage With Checklists
0
+Vulnerabilities Bugs Reported