Insights Blog Qualitest Spearheads QA and Cyber Security Testing for European Health Service Provider’s COVID Certification Status App

Case Study

Qualitest Spearheads QA and Cyber Security Testing for European Health Service Provider’s COVID Certification Status App

The COVID status certification application has been rolled out and is in use by millions of users without concerns relating to security and safety of their data.

Overview
Challenges

Deliver a security tested COVID vaccination status application that meets the national security standard.

Derive extensive security functional and non-functional requirements for the app.

Solutions

Implemented SAST, DAST and SCA in the development pipeline as a regression pack.

The introduction into the lifecycle of the services production ensured code is tested as static and in use.

Results

Numerous vulnerabilities were discovered, assessed and mitigated before code was released to production.

Stakeholders were able to make a risk-based decision on how to mitigate findings. Enabled the application to be tested on every weekly release changes/feature within a set 48hour window.

Client overview

The Client is the national information and technology partner for a large European country’s health. Their systems and information help doctors, nurses and other healthcare professionals increase efficiency and make care safer.

The Client provides information and data to health services so that they can plan effectively and monitor progress, create and maintain the technological infrastructure that keeps the health services running and links systems together to provide seamless care, as well as develop information standards that improve the way different parts of the system communicate.

COVID status certification app requires reliable security testing

In the wake of COVID-19 vaccines in 2020, the need arose for vaccinated individuals to be easily identified and verified for purposes of travel and access to restaurants, events, etc.

The Client’s COVID health status validation application lets people share their coronavirus (COVID-19) vaccination records or test COVID-19 status in a secure way. It allows people to show others the details of their COVID-19 vaccine (or vaccines) when travelling abroad to some countries or territories.

Qualitest stepped in to provide QA and security assurance via security testing to the program.

The objective was to perform the tests ahead of every weekly release, shifting left application security while detecting vulnerabilities during the in-sprint testing of the app, and produce a report after an assessment to enable make a risk-based decision before releasing to production.

Qualitest worked with the Client to build a strong security testing approach that would accommodate testing within the pipeline and validate the new specifications and requirements before releasing to production.

The Client wanted to:

  • Understand the current state of security in their application.
  • Assess and derive extensive non-functional requirements across the application.
  • Suggest and implement toolsets for security testing for static and dynamic code.

Vaccinating a COVID status certification app against security issues

Qualitest implemented an iterative process model, with two clear, well-defined phases:

  • Phase 1 – Identifying flaws in the pipeline and Implementing SAST, DAST and SCA in the pipeline across each release window.
  • Phase 2 – Run scans and assess findings ahead of release.

Phase 1 – Implement SAST, DAST, SCA in Development Pipeline

In this phase, Qualitest security engineers did a gap analysis to identify areas in the development lifecycle that were missing security testing ahead of release.

Upon performing the gap analysis, the security team identified that no security testing was being carried out as part of the lifecycle, which introduced a great flaw to the entire lifecycle.

After the deep dive into several proof of concepts, Qualitest identified the right solution to run these security tests.  Building on the trust developed over months working on the COVID status app project, Qualitest recommended the use of the following tools:

  • Burp Suite
  • SonarQube
  • Dependency Check

Phase 2 – Run Scan, Assess Findings and Generate Report.

In this phase, Qualitest produced a test plan in line with the required security NFR’s for each weekly release and ensured testing was completed ahead of the weekly release.

We detected configuration differences between test and live environments, and recommended to fix them before testing. We configured test framework into the test environment and ran required tests. SAST was configured to run on DEV, while DAST was prepared to run in a test instance close to the live setup configuration.

Once testing was complete, results were analyzed by security experts and a report was generated. The final report was shared with the stakeholders to mitigate and highlight risks accordingly

All this was scheduled to happen before the final Go No Go call and was set to ensure decision makers were making decisions with security in mind.

Key benefits

Qualitest was able to meet all the Client’s stated goals and business requirements within the given time frame.

  • Qualitest helped setup a robust security testing framework within the test environments to validate security NFRs in a set time for each weekly release.
  • Qualitest helped identify critical security vulnerabilities that could have potentially been exploited by hackers. These vulnerabilities were immediately mitigated to avoid exploitation.
  • By swiftly identifying these vulnerabilities ahead of time, Qualitest helped prevent a financial cost that would have incurred should the vulnerabilities had been exploited. This cost would have been in the area of ~£1m due to the sensitivity of the data being collected.
  • Qualitest also created the safety net of not having to wait to the very end of development lifecycle for a pen test to take place, which would have been the only security involvement.

As a result, the COVID status certification application has been rolled out and is in use by millions of users without concerns relating to security and safety of their data.

 

quality engineering free assessment

download the pdf