Triad builds a secure system for the Department for Transport
In this case study, we explain how we conducted comprehensive web security testing on a new operating system that we built for the Department for Transport (DfT). We used four separate Web Security tools to evaluate the security of web applications for weaknesses, technical flaws, and vulnerabilities to prevent malware, data breaches, and other cyberattacks that might lead it to leak information, crash, or present unexpected behaviour.
This comprehensive approach enabled us to identify false positives, whilst creating customised reporting that we could take back to the client. Our work was successfully accepted into service by the DfT having passed stringent assessment and penetration testing by the DfT’s 3rd party testers.
About the client
The Department for Transport (DfT) works with its agencies and partners to support the transport network that helps the UK’s businesses and gets people and goods travelling around the country. They plan and invest in transport infrastructure to keep the UK on the move. The DfT commissioned Triad to build a digital service for them, the details of which we are unable to disclose publicly.
Triad built a digital system for the Department for Transport (DfT) to support net zero legislation targeted at the decarbonisation of road transport. The service was built to Government Digital Service standards.
We used multiple approaches to test this system including manual testing, UI automation testing (using BDD framework with Selenium and Specflow), API automation (using RestSharp and BDD). An accessibility audit was conducted along with automation testing and manual testing using the Axe dev tool and WCAG colour contrast checker.
We had built a system for the DfT that we believed would be secure, but we needed to be certain that it couldn’t be compromised, and equally as important, we wanted to identify where any vulnerabilities lay.
Web Application Security Testing is a process of evaluating the security of web applications for weaknesses, technical flaws, and vulnerabilities to prevent malware, data breaches, and other cyberattacks that might lead it to leak information, crash, or present unexpected behaviour.
We performed the following Web Application Security tests on the system
To understand the security risks facing the system and assign priority appropriate mitigation measures and controls.
We undertook a structured gap analysis to assess the security of the physical configurations, operating system, information handling processes and user practices. We also assessed the compliance with regulatory standards and frameworks.
To assess the system’s performance when hacked.
Simulating a real-time cyberattack against the system under secure conditions.
To identify known loopholes and vulnerability signatures, and assess the baseline security risk.
To assess the overall security position using a combination of security scanning, ethical hacking, and risk assessment.
To identify vulnerabilities and misconfigurations in the system.
We tested the system using four separate Web Security tools; ZAP (Zed Attack Proxy), BURP SUITE, VEGA and WAPITI, identifying strengths and weaknesses of each, whilst ensuring that the system we had built was fully secure.
This comprehensive approach enabled us to identify false positives, whilst creating customised reporting that we could take back to the client. All vulnerabilities were assessed and addressed.
Our work was successfully accepted into service by the DfT having passed stringent assessment and penetration testing by the DfT’s 3rd party testers.