DMS+

Our Experiences with VAPT at dMACQ Software

Dmacq’s DMS solution transformed the way we manage and access documents. We’ve saved countless hours and significantly improved data security

Kapil Yadav • Jun 27, 2024 • 8 min

White Paper on dMACQ DMS – VAPT Experiences

In the age of digital transformation, robust cybersecurity is more important than ever especially for software solutions that handle sensitive information. We recently had the opportunity to deploy our Enterprise Document Management System (EDMS) at a major blue-chip customer in India. Given the need for secure access across multiple locations, our customer decided to conduct a thorough Vulnerability Analysis and Penetration Testing (VAPT) audit on our software performed by an independent cybersecurity firm.

In this blog post, we’ll share our experiences as software developers during this successful VAPT process and the valuable lessons we learned along the way.

What is VAPT and Why Is It Important?

Vulnerability Analysis and Penetration Testing (VAPT) is a systematic approach to identifying and addressing security weaknesses in software systems. This process typically involves:

Vulnerability Analysis: Scanning for weaknesses in the software that could be exploited.
Penetration Testing: Actively attempting to exploit those weaknesses to see if unauthorized access or other malicious activities can occur.

By conducting a VAPT audit, companies can significantly improve their software security posture, protect sensitive data and gain trust from their customers.

Our VAPT Journey

Our VAPT spanned six weeks and involved several hours of development and testing time. It required a dedicated full-time customer liaison to facilitate communication between our development team and the VAPT team. Here’s what we learned throughout the process:

1.Different Perspectives on Software Security

One of the biggest takeaways was the realization that software security is not a one-size-fits-all solution. Initially, we assumed our customers would evaluate security from our perspective. However, the customer required integration with their Single Sign-On (SSO) system, intranet and internet access and strict security measures—even against their own employees. This highlighted the need for comprehensive security assessments that consider diverse viewpoints.

2.Expect Multiple Rounds of Testing

We went through approximately ten rounds of VAPT testing. After each round, we received a report detailing vulnerabilities that needed to be fixed before the next round. Many of these fixes were minor but the process required us to ensure that our fixes did not compromise existing security features. This meant we had to be on standby for round-the-clock development and testing.

3.Modify Security Architecture as Needed

During testing, we discovered that some of our browser-server connections used GET requests which the VAPT team could exploit. We learned the importance of sanity-checking all GET requests for vulnerabilities like clickjacking and cross-site scripting. In some cases, we even converted GET requests to POST to bolster our security posture. While this was a challenging process it was ultimately worth the effort.

4.Maintain Strong Customer Relationships

Our full-time liaison played a crucial role in our VAPT journey. They visited the customer and the VAPT team regularly facilitating real-time communication between our developers and the testing environment. This proactive approach allowed us to identify potential security issues quickly including those that originated from the customer's IT infrastructure rather than our software.

Balancing Work and Team Building

One of the most important lessons learned was that the VAPT process didn’t have to consume all our time. Our engineering team took a much-needed break for team-building activities which fostered camaraderie and allowed us to discuss strategies for handling VAPT challenges. This time off rejuvenated us making us more enthusiastic and positive when we returned to address any pending VAPT defects.

Conclusion: A Stronger Software Solution

The successful VAPT experience significantly enhanced our software’s security making it not only more reliable but also more appealing to potential customers. The knowledge gained during this process improved our credibility with our customer, their IT teams and user groups.

In today's climate of increasing cyber threats, it’s crucial for software companies to conduct regular VAPT audits. Doing so not only strengthens the security architecture of the software but also assures customers of its reliability. After all, in a world where cybersecurity is only as strong as its weakest link we must ensure our software doesn’t become that link.