/
Pen Test 2022 Results

Pen Test 2022 Results

Issue

A05 Security Misconfiguration – ReadMe File May Identify Site Software

Priority

Low

EP Number

https://covalenttech.atlassian.net/browse/EP-3246

Resolution:

We have raised a request with our Hosting Partner - to remove access/delete readme file.

Issue

A05 Security Misconfiguration – Missing Recommended Security Header

Priority

Low

EP Number

https://covalenttech.atlassian.net/browse/EP-3247

Resolution

Awaiting further clarification from Pen Testers.

Issue

A05 Security Misconfiguration - Missing Sub resource Integrity (SRI) for External Script

Priority

Low

EP Number

https://covalenttech.atlassian.net/browse/EP-3248

Resolution

We have updated external front end dependencies to now have a generated integrity hash, this allows the browser to verify the contents have not been manipulated in transit.

Issue

A05 Security Misconfiguration - Source Map Disclosure

Priority

Low

EP Number

https://covalenttech.atlassian.net/browse/EP-3249

Resolution:

We have removed the .map files generated by our front end build process.

Issue

A05 Security Misconfiguration - Swagger API Structure Exposed

Priority

Low

EP Number

https://covalenttech.atlassian.net/browse/EP-3250

Resolution:

Adjusted our api_docs endpoint to only be accessible when the application in running in test mode.

Issue

Reopened - Using Components with Known Vulnerabilities - Out-of-Date Components Identified

Priority

medium

EP Number

https://covalenttech.atlassian.net/browse/EP-3253

Resolution:

On the previous Pen Test we had removed all jQuery 2.1.1 from the application, we have now removed the jQuery 2.1.1 files also.

Issue

Reopened - Security Misconfiguration – Potentially Dangerous File Type Upload Allowed

This issue has been partially resolved.

The potentially harmful python file extensions reported in this issue are no longer accepted by the uploader. However, other potentially dangerous file types such as PHP, EXE, and ZIP are still allowed.

Priority

medium

EP Number

https://covalenttech.atlassian.net/browse/EP-3252

Resolution:

Work is scheduled for next sprint.