/
Pen Test 2024 Results
  • Complete

    • Pen Test 2024 Results

    Owned by Lisa Clancy
    Last updated: Feb 07, 2025
    2 min read

    We are independently penetration tested annually and this is done via our internal development site, this ensures that no real live data is affected.

    Issue Summary

    Below is a table showing the summary of the web application security in terms of severity and OWASP category.

    OWASP Top 10 Issue Category Summary

    OWASP Website

    Category

    Total

    Category

    Total

    A1: Broken Access Control

    1

    A2: Cryptographic Failures

    1

    A3: Injection

    0

    A4: Insecure Design

    2

    A5: Security Misconfiguration

    0

    A6: Vulnerable and Outdated Components

    1

    A7: Identification and Authentication Failures

    0

    A8: Software and Data Integrity Failures

    0

    A9: Security Logging and Monitoring Failures

    0

    A10: Server-Side Request Forgery

    0

    image-20240222-145353.png

     

    Issue

    A01: Broken Access Control:- – Support Material Links Enumerable & Accessible by All Authenticated User Types

    Priority

    Low

    EP Number

    https://covalenttech.atlassian.net/browse/EP-4448

    Resolution

    Once this is released we will have improved the access control restrictions around support material file uploads and contracts. Links to support material uploads will now recheck the support material configuration, to ensure the user has access before returning the file for download.

    Contracts will also have been improved to ensure any terms file downloads are checked, before returning the file for download.

    Issue

    A04: Insecure design:- Any User Can Disable Other Users MFA

    Priority

    high

    EP Number

    https://covalenttech.atlassian.net/browse/EP-4447

    Resolution:

    We are in the process of fixing this security issue raised in our recent Pentest around setting up and deactivating MFA. This is currently being tested.

    Issue

    A04: Insecure Design:- Any User Can Add MFA to Another Users Account

    Priority

    high

    EP Number

    https://covalenttech.atlassian.net/browse/EP-4447

    Resolution:

    We are in the process of fixing this security issue raised in our recent Pentest around setting up and deactivating MFA. This is currently being tested.

    Issue

    A06: Vulnerable and Outdated Components:- Laravel Version is No Longer Supported

    Priority

    Low

    EP Number

    https://covalenttech.atlassian.net/browse/EP-4394

    Resolution:

    We had already planned this upgrade into our sprint prior to the pen test and it is currently being checked internally.

    It required an upgrade of the main Laravel framework we use to build epaPRO. This upgrade will impact all of epaPRO, but should not change any functionality.

    Issue

    A02 - Cryptographic Failures – Weak Ciphers Within TLSv1.2 Supported

    Priority

    Low

    EP Number

    https://covalenttech.atlassian.net/browse/EP-4203

    Resolution:

    TBC