Background In the healthcare sector, protecting sensitive patient information — from medical histories to personal details and billing info — is non-negotiable. If this data is compromised, the consequences can be severe, resulting in unauthorized access, potential identity theft, and multiple privacy concerns. Therefore, it’s imperative that healthcare software is built with top-notch security right from its initial design. This means consistent updates, thorough security checks, solid data encryption, strict control over who can access the data, and fail-proof methods to ensure the user’s identity. Client Easly is at the forefront of healthcare transformation in the Netherlands through its groundbreaking self-testing solutions. Beyond mere accessibility, Easly ensures simplicity in healthcare. The company provides home-based tests across a spectrum of health parameters, ranging from kidney function to thyroid hormones. ISO-certified laboratories and Easly’s expert medical team vet the results, ensuring clients receive clear, actionable insights. Easly’s intuitive app and personal dashboard mean that users can securely and conveniently access their health data anytime, prioritizing user empowerment and education. Challenges Easly needed to secure its sensitive data through penetration testing. But here’s the catch: it’s a complex and expensive task. Especially when you’re talking about getting experienced pros or third-party firms on board. The expenses aren’t just about the test; if they find weak spots, fixing them adds to the bill. Plus, you’ve got to pull developers, system admins, and others away from their tasks, which means some projects might have to hit the pause button. Solution Having successfully collaborated with Easly on various projects in the past, they entrusted us with their crucial penetration testing process. Recognizing the ever-evolving landscape of cybersecurity threats and the need for specialized expertise, we strategically partnered with UnderDefense, a renowned external security agency. This collaboration wasn’t just about plugging gaps; it was a visionary move to synergize our software development prowess with their specialized knowledge in penetration testing. Our strategic alignment with UnderDefense was initiated with a comprehensive understanding of our project needs and timelines. In this collaborative spirit, UnderDefense carried out a white-box security assessment of the Symphony Solutions web application, guided by a duo of their top-tier, certified penetration testers. The primary responsibility of UnderDefense goal was to provide Symphony Solutions with an understanding of the current level of security in Easly’s web application and its infrastructure components. They completed the following objectives to accomplish this goal: Identifying application-based threats to and vulnerabilities in the application Comparing Easly’s’ current security measures with industry best practices Providing recommendations that Symphony Solutions can implement to mitigate Easly’s threats and vulnerabilities and meet industry best practices In our assessment, we employed the Common Vulnerability Scoring System (CVSS) version 3.0 to determine the ratings of the vulnerabilities identified. Throughout this scoring procedure, we incorporated the CIA provision we had set forth. Following the comprehensive Web Application Penetration testing from April 27 to May 18, 2023, we identified several security issues. 3 critical severity issues 7 high severity issues 1 medium severity issue 8 low severity issues 3 informational severity issues Security tools used ● Manual testing: Burp Suite Pro ● Vulnerability scan: Nessus, OpenVAS ● Code scan: Codeql ● Exploitation: Metasploit ● Directory enumeration: gobuster, dirsearch ● Injection testing tools: XSSHunter, SQLmap ● Encryption: TestSSL After UnderDefense delivered their initial penetration testing report for Easly, we thoroughly reviewed the findings. Based on these insights, we prioritized and added tasks to our project backlog to address the highlighted issues. Upon completing all the recommended fixes for Easly, we then reached back to UnderDefense, requesting them to conduct a retest to ensure all previously identified vulnerabilities were resolved. During the Remediation Web Application Penetration testing phase from July 25, 2023, to July 31, 2023, it was evident that we at Symphony Solutions had successfully addressed all the issues highlighted during the initial penetration testing. Only 3 low and 1 informational issues remained, but these did not compromise the overall security integrity of the application. Security experts also performed manual security testing according to the OWASP Web Application Testing Methodology, which demonstrates the following results. Result Following the extensive testing process, UnderDefense provided Symphony Solutions with a letter of attestation. This document confirmed that our work on the Easly project not only met the standard requirements but surpassed the “Industry Best Practice” benchmarks. While there were a few minor areas to address, the overall assessment indicated our security posture was excellent. Patient Trust and Reputation Compliance and Legal Avoidance Risk Mitigation Reduced Operational Disruptions Efficient Incident Response Cost Savings Competitive Advantage Vendor and Partner Confidence Long-Term Sustainability Innovation and Research Data Sharing and Interoperability Minimized Public Relations Crisis Having top-tier security in healthcare software projects is critical, and Symphony Solutions is proud to have played a pivotal role in assisting Easly in achieving this standard. This security alignment is in line with the industry’s dedication to patient welfare, data protection, and adherence to regulations. By fortifying this strong security foundation, we’ve helped pave the way for Easly’s steady growth, fostered innovation, and enhanced their reputation, ultimately serving both the business’s and patients’ best interests.