/
Pen Test 2023 Results
  • Complete
  • Pen Test 2023 Results

    Whilst more were logged during the test, these were directly related to the test being performed on our development site. We have excluded these from this listing: -

    1. Security Misconfiguration – Stack Trace Observed - We can confirm that stack traces are disabled on all live/production environments. This is purely present as it is our dev environment.

    2. Security Misconfiguration - Laravel Debugging Enabled -this is purely related to the fact that it is a development environment and is already disabled on the Production environment.

    3. Security Misconfiguration - Stack Trace Available to Anonymous Users - To confirm this is only enabled on the development environment and is disabled on our production environments

    Issue

    A04:2021 – Insecure Design - Delete EPA/EPA Manager Request Susceptible to CSRF

    Priority

    Low

    EP Number

    https://covalenttech.atlassian.net/browse/EP-3868

    Resolution

    We have updated the EPA/EPAM user listing screens to use the new condensed menu that is being rolled out across epaPRO.

    Issue

    A06:2021 Vulnerable and Outdated Components

    Priority

    Low

    EP Number

    https://covalenttech.atlassian.net/browse/SD-7697

    Resolution

    Latest version of PHP was updated within the usual release cycle to the latest version, this was already scheduled to take place after the test was carried out.
    Momentjs is no longer actively developed and so an alternative would need to be developed.

    Issue

    A07:2021 – Identification and Authentication Failures - Account Enumeration Possible Via Login Page

    Priority

    Low

    EP Number

    https://covalenttech.atlassian.net/browse/EP-3867

    Resolution:

    The test noted that there was a difference in styling on the error messages (bold vs. normal text). These instances now return the same, consistently styled error message to the user.

    Issue

    Security Misconfiguration - Missing Sub resource Integrity For External Scripts

    Priority

    Raised For Reference only

    EP Number

    N/A

    Resolution:

    Declined - we cannot add an SRI check here to validate the content, as Google necessitate implicit trust of their content.

    Issue

    A02 - Cryptographic Failures – Weak Ciphers Within TLSv1.2 Supported

    Priority

    Low

    EP Number

    https://covalenttech.atlassian.net/browse/EP-4203

    Resolution:

    TBC