Edosoft Factory

Edosoft Factory introduced a Security Testing Methodology for Web Applications deployed on the premises of  Canary Islands´s government institution - Gobierno de Canarias -.

Under the infrastructure provided by the Government of the Canary Islands is hosting multiple Web applications that offer all types of services for citizens and public employees. These applications are used as part of the daily operation and in most cases allow users to interact with the organization to manage large amount of sensitive data including monetary transactions.

Web applications and services for its distributed nature, are subject to a number of common vulnerabilities, most of them referenced on the Internet which explains in great detail as to exploit them. Many of these vulnerabilities are independent of platform or technology used for application development, but how to code an application affects the vulnerability of this.During the development of an application, the team was primarily concerned that the implementation is functionally correct, but does not notice the importance of safety most often through ignorance and lack of time during the development phase due to tight deadlines. If applications are not programmed according to strict safety requirements, and do not pass through a vulnerability testing to verify the security of the application, can be a gateway for a malicious agent (ex-employees, hackers, crackers, staff from other agencies, etc ...) they could get including access to confidential information, theft of private data such as users, passwords, credit card numbers, and even perform denial of service or destruction or modification of information. The attacks of these features are very harmful to the organization both in the operational area and in the legal field.

Taking into account specified in the preceding paragraph Edosoft Factory introduced a Security Testing Methodology was the definition of the following documents:

• Paper mandatory and optional requirements to be met by the companies responsible for the software developing.

• Documentation test methodology to make these applications to check their safety and compliance with safety requirements in the earlier paper. This methodology is based on OWASP.

• Documentation tools to develop the tests specified in the methodology.

Finally, we conducted a training course of one week to people who would be responsible then perform vulnerability testing in applications, in order to teach the basics to be able to implement this methodology.