About the Client:
Our Client is a San Francisco based digital healthcare startup. Client empower rare and neglected disease communities to start or expand their own research Their platform brings together the power of smartphones, connected health devices, EMR data and user-generated data to social networks interested in advancing research into rare and neglected diseases.
Being an HealthCare company, the client was looking for web application security. Huge amount of customer data along with customer social networking details and credit card data was getting generated and stored. As the application was customer facing it was absolutely importatnt to check all the possibility to break application.
DevOpsTech started with four stages of the penetration testing.
- Information gathering:
First verified that the IP address range supplied was assigned by querying the ICANN Whois Database. DNS servers were then queried for more information such as registration details and mail servers.
We initially started with manual testing and later did automated scanning.
- Identifying vulnerabilities and exploiting them:
The automated scans can reveal vulnerabilities, but a manual check usually reveals more information. We found cross site scripting, Cross site request forgery and Open redirections (DOM based).
- Producing a detailed report of issues and recommendations:
The issues listed above and other issues not mentioned were compiled and put into the final report with scanning date. The number of issues identified at each risk level (critical, high, medium, low and informational) was presented with recommendations given for resolution of each.
- Customer got the most value out of the report and a good understanding of the issues.