The Client is the national information and technology partner for a large European country’s health. Their systems and information help doctors, nurses and other healthcare professionals increase efficiency and make care safer.
The Client provides information and data to health services so that they can plan effectively and monitor progress, create and maintain the technological infrastructure that keeps the health services running and links systems together to provide seamless care, as well as develop information standards that improve the way different parts of the system communicate.
In the wake of COVID-19 vaccines in 2020, the need arose for vaccinated individuals to be easily identified and verified for purposes of travel and access to restaurants, events, etc.
The Client’s COVID health status validation application lets people share their coronavirus (COVID-19) vaccination records or test COVID-19 status in a secure way. It allows people to show others the details of their COVID-19 vaccine (or vaccines) when travelling abroad to some countries or territories.
Qualitest stepped in to provide QA and security assurance via security testing to the program.
The objective was to perform the tests ahead of every weekly release, shifting left application security while detecting vulnerabilities during the in-sprint testing of the app, and produce a report after an assessment to enable make a risk-based decision before releasing to production.
Qualitest worked with the Client to build a strong security testing approach that would accommodate testing within the pipeline and validate the new specifications and requirements before releasing to production.
The Client wanted to:
Qualitest implemented an iterative process model, with two clear, well-defined phases:
Phase 1 – Implement SAST, DAST, SCA in Development Pipeline
In this phase, Qualitest security engineers did a gap analysis to identify areas in the development lifecycle that were missing security testing ahead of release.
Upon performing the gap analysis, the security team identified that no security testing was being carried out as part of the lifecycle, which introduced a great flaw to the entire lifecycle.
After the deep dive into several proof of concepts, Qualitest identified the right solution to run these security tests. Building on the trust developed over months working on the COVID status app project, Qualitest recommended the use of the following tools:
Phase 2 – Run Scan, Assess Findings and Generate Report.
In this phase, Qualitest produced a test plan in line with the required security NFR’s for each weekly release and ensured testing was completed ahead of the weekly release.
We detected configuration differences between test and live environments, and recommended to fix them before testing. We configured test framework into the test environment and ran required tests. SAST was configured to run on DEV, while DAST was prepared to run in a test instance close to the live setup configuration.
Once testing was complete, results were analyzed by security experts and a report was generated. The final report was shared with the stakeholders to mitigate and highlight risks accordingly
All this was scheduled to happen before the final Go No Go call and was set to ensure decision makers were making decisions with security in mind.
Qualitest was able to meet all the Client’s stated goals and business requirements within the given time frame.
As a result, the COVID status certification application has been rolled out and is in use by millions of users without concerns relating to security and safety of their data.
