Our Experiences with VAPT
White Paper on dMACQ DMS – VAPT Experiences
We recently deployed our Enterprise Document Management System (EDMS) software at a major blue chip customer in India. Since all employees of the customers from multiple locations needed access to our on-premise EDMS, our customer had an independent cybersecurity company perform a Vulnerability Analysis and Penetration Testing (VAPT) audit on our software. Our experiences, as the software developer, on a successful VAPT are documented in this white-paper. Briefly, the VAPT spanned six weeks, involved several hours of development and testing time, needed a full-time customer liaison, significantly improved our software security, helped us all increase our system security knowledge, and enabled us develop excellent relationships with our customer and their support staff.
dMACQ EDMS stores all physical records in an electronic repository that allows multiple users access the same or different documents at the same time from different geographical locations. Since it is browser-based, dMACQ EDMS can be accessed from any browser-compatible device, including smartphones, tablets, laptops, and workstations, over the intranet or the internet. Due to its web-based nature, dMACQ EDMS has stringent security controls, is regularly in-house VAPT-tested and certified by an independent company, and the development environment follows ISO 27001 security processes. However, when our customer VAPT-tested our EDMS we learned to appreciate that multiple viewpoints of software security can exist.
My software security is different from your software security
One of the basic assumptions we made during in-house VAPT testing was that our customers will look at software security through our eyes - wrong! Our customer needed integration with their Single Sign On (SSO) system, needed both intranet and internet access, and needed total security - even from their own employees. We made wrong assumptions on all these - we had assumed SSO system is always secure, either intranet or internet access will be used, and users are trustworthy.
Be ready for multiple rounds of VAPT testing
We had about ten rounds of VAPT testing on our EDMS - after each round we received the VAPT report and had to send an immediate fix to the customer for the next round of testing. While many fixes were minor, since regression testing was employed, we had to ensure that our fixes did not break any previous security features of the software. We had round-the-clock development and testing exclusively for fixing VAPT issues for our valued customer.
Modify security architecture, if necessary
The browser-server connection at some points in our architecture used GET requests that the VAPT team employed by our customer was easily able to hack albeit using sophisticated hacking tools. We had to sanity check all GET requests for any clickjacking, cross-site scripting, or parameter hijacking tests. At some point we had to convert GET requests to POST simply to improve our security posture - it was hard work but well worth it in the end.
Maintain excellent customer liaisonship
We had a full-time liaison for our customer. He not only visited the customer and the VAPT team regularly but also communicated with our developers directly from the testing environment to inform them about the current state of testing and any potential defects in software security before the actual reports were generated. Advance information helped our developers and testers begin their work as soon as problems were identified. The liaison also helped to quickly identify any security issues caused by the customer IT and not directly related to our software.
One of the most important lessons we learned during the VAPT process was that it need not occupy all our time. The engineering team took two days off for rest, recreation, and refresher on team building at an off-site location. We discussed how to handle VAPT issues and any software development issues in general, and how as a team we can overcome unexpected challenges. We had lots of food, fun, and frolic during this trip, and when we returned, we were able to tackle any pending VAPT defects with a lot more enthusiasm, positivity, and energy. We also got to learn a lot on the current trends in software and system security and we believe this exercise improved us as software professionals. We also developed excellent credentials with our customer, their IT and networking teams, and user groups during the process of VAPT.
We believe this successful VAPT experience has not only made our software more secure, more sellable, and improved the image of our company, but also made our sales people, software developers, and testers believe that our software is actually a sound contender in the marketplace. We will strongly recommend software companies to actually ask their customers to do a VAPT since it not only confirms the quality of software in their customers’ eyes but also improves the overall security architecture of the customers’ IT. In these times of cyberattacks that are becoming rather common as per media reports, the society’s cybersecurity is only as strong as its weakest link - therefore, it will be good for a software company to ensure that their software is not the weakest link in the chain.