Security Improvements for a Complex Health Care Application
About the Client
GraphixAsset is a UK-based software company building iPhone and Android apps, designing and building web applications, computer graphics, point-of-sale and motion graphics.
GraphixAsset developed the eMAR (electronic Medical Administration Record) system specifically for a national charity, providing services for people with learning disabilities throughout England. The application maintains MARs (Medical Administration Records) electronically. A web interface provides admin functions whilst end users access the system from their Android smart phone or tablet. GraphixAsset approached T&VS to perform the security testing.
The T&VS Technical Solution
T&VS asureSECURE team tested the eMAR application’s defence against an unauthorized attack and identified vulnerabilities that could potentially pose a security threat. T&VS provided recommendations and guidelines for such threats, which help in protecting the confidentiality and integrity of personal data.
The eMAR web application penetration test was carried out with reference to the OWASP ASVS (Application Security Verification Standard). The T&VS security experts created a customized security testing checklist for eMAR web application. After running 600+ security test cases, the T&VS asureSECURE team came up with a list of serious security issues and assisted eMAR developers with fixes.
The eMAR android app penetration testing was performed with the reference to the OWASP Mobile security standard. T&VS again created a customized checklist and performed in-depth android app security assessment from following three attack vector possibilities.
- Client side security assessment
- Server side security assessment
- Communication level security assessment
- T&VS introduced an efficient methodology for security testing.
- The T&VS security assessment will improve business continuity.
- The fixes made will minimize Black Hat (malicious) attacks.
- The security assessment will help to protect clients, partners and third parties data.