Versions Compared

Version Old Version 8 New Version Current
Changes made by

Lisa Clancy

Lisa Clancy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Issue

...

A05 Security Misconfiguration - Swagger API Structure Exposed

...

Priority

...

Status
colourBlue
titleLow

...

EP Number

...

SD-7693

...

Resolution

...

Whilst more were logged during the test, these were directly related to the test being performed on our development site. We have excluded these from this listing: -

  1. Security Misconfiguration – Stack Trace Observed - We can confirm that stack traces are disabled on all live/production environments. This is purely present as it is our dev environment.

  2. Security Misconfiguration - Laravel Debugging Enabled -this is purely related to the fact that it is a development environment and is already disabled on the Production environment.

  3. Security Misconfiguration - Stack Trace Available to Anonymous Users - To confirm this is only enabled on the development environment and is disabled on our production environments

Issue

A04:2021 – Insecure Design - Delete EPA/EPA Manager Request Susceptible to CSRF

Priority

Status
colourBlue
titleLow

EP Number

SD-7694

Jira Legacy

Resolution

server

Issue

A07:2021 – Identification and Authentication Failures Account Enumeration Possible Via Login Page

Priority

Status
colourBlue
titleLow

EP Number

SD-7695

Resolution:

Amend the warning text when entering an incorrect username/password from bold to normal

Issue

Security Misconfiguration - Missing Sub resource Integrity For External Scripts

Priority

Status
colourPurple
titleRaise For Reference

EP Number

SD-7696

Resolution:

Issue

A06:2021 – Vulnerable and Outdated Components -Vulnerable and Outdated Components (possibly dev only)

System Jira
serverIda2269739-3244-3b4d-bb8f-c582148d7bba
keyEP-3868

Resolution

We have updated the EPA/EPAM user listing screens to use the new condensed menu that is being rolled out across epaPRO.

Issue

A06:2021 Vulnerable and Outdated Components

Priority

Status
colourBlue
titleLow

EP Number

Jira Legacy
serverSystem Jira
serverIda2269739-3244-3b4d-bb8f-c582148d7bba
keySD-7697

Resolution

:

Issue

A05 Security Misconfiguration – Stack Trace Observed (dev site only)

Latest version of PHP was updated within the usual release cycle to the latest version, this was already scheduled to take place after the test was carried out.
Momentjs is no longer actively developed and so an alternative would need to be developed.

Issue

A07:2021 – Identification and Authentication Failures - Account Enumeration Possible Via Login Page

Priority

Status
colourBlue
titleLow

EP Number

SD-7699

Resolution:

This only relates to the dev site

Issue

A05 Security Misconfiguration - Laravel Debugging Enabled (dev site only)

Priority

Status
colourBlue
titleLow

EP Number

SD-7702

Resolution:

This only relates to the dev site

Issue

A05 - Security Misconfiguration - Stack Trace Available to Anonymous Users (dev site only)

Jira Legacy
serverSystem Jira
serverIda2269739-3244-3b4d-bb8f-c582148d7bba
keyEP-3867

Resolution:

The test noted that there was a difference in styling on the error messages (bold vs. normal text). These instances now return the same, consistently styled error message to the user.

Issue

Security Misconfiguration - Missing Sub resource Integrity For External Scripts

Priority

Status
colour

Blue

Purple
title

Low

Raised For Reference only

EP Number

SD-7703

N/A

Resolution:

This only relates to the dev site

Declined - we cannot add an SRI check here to validate the content, as Google necessitate implicit trust of their content.

Issue

A02 - Cryptographic Failures – Weak Ciphers Within TLSv1.2 Supported

Priority

Status
colourBlue
titleLow

EP Number

SD-7704

Jira Legacy
serverSystem Jira
serverIda2269739-3244-3b4d-bb8f-c582148d7bba
keyEP-4203

Resolution:

TBC