We utilized cloud-based testing suites and services, alongside human teams, that offer a variety of capabilities and options for one-time and ongoing scanning and testing. While fully bespoke and custom security audits are always a valuable service, they come at a very high cost in both money and time. Our approach for this holistic technical assessment was to use tools and techniques that are both within the realm of the available budget, and provided a more dynamic, ongoing approach for uncovering vulnerabilities. We recommend this approach for use not only in the assessment stage, but also as part of the ongoing monitoring in future eCRVS production deployments.
Open-Source Software (OSS) vulnerability scanning
We used free and open-source tools to check the source and Docker images for vulnerabilities. See the Resources section for more information on our tool recommendations.
Static application security testing (SAST) scanning
We used free and open-source tools to perform an automated analysis of the Typescript/Javascript codebase. See the Resources section for more information on our tool recommendations.
Dynamic Application Security Testing (DAST) is a type of security testing that focuses on the dynamic analysis of the application while it is running. DAST testing involves analyzing the behavior of the application during runtime to identify vulnerabilities that could be exploited by attackers. DAST tools typically simulate a user interacting with the application, sending various inputs to the system to see how it responds. DAST testing is particularly useful for identifying vulnerabilities related to input validation, authentication, and authorization.
DAST testing is focused on identifying vulnerabilities that can be discovered by analyzing the running application. DAST tools scan the application for vulnerabilities such as XSS, SQL injection, and CSRF attacks, and typically use a black-box approach where they have no knowledge of the application's internal workings. DAST tools can be used to identify a wide range of vulnerabilities, but they may miss some issues that can only be identified through manual testing or other specialized testing techniques.
\
\