Identify the vulnerability points of an inter-library management system (with thousands of data and search queries processed every day). Guarantee the continuity of the service, without interruptions. Make the system compliant with the new GDPR regulation.
In addition to those already known before the intervention, other critical issues emerged during the testing phase. The most important risk to proceed to the corrections of the errors immediately appeared as the interruption of the service or the possible loss of the data.
In order not to interrupt the service and, at the same time, create a series of cyber attack simulations to verify the system, all the tests were conducted in an ad-hoc environment, where the entire database was cloned. The data collected allowed us to highlight the weaknesses of the code and the most frequent vulnerabilities to which the software was exposed: SQL injection attacks and cross site scripting. The individual errors were then corrected manually by reclaiming the system that has always remained operational for the duration of the operations. The effectiveness of the work was then further validated through other software, including Owasp, Pentest-tool, McAfee and Metasploit.
The creation of a test environment made it possible to perform analyzes in real time, specifically intervening on functions that were only active in the production environment.