white codevate bird logo Featured case study

Case study: Developing a web app to centralise pen-test auditing for a security company

Security audit dashboard showing reports and statistics
“Codevate really understood what we wanted to achieve and the feedback from our clients, prospects and even competitors has been excellent. We have some big plans for the portal that they helped us bring to life and we'll be continuing to use Codevate on that journey. I can't recommend them enough!"
Star Star Star Star Star

— Richard Merrygold, iSTORM

  • Security
  • Versioning
  • PDF report export
  • Audit logging
  • Dashboard
  • Bespoke web app

Security audit portal with report generation

Our client performs security audits and penetration tests on their customer's software and network infrastructure. These audits can span from a few days, to months or more. Before we developed this software, reports were being produced in Word, and findings were communicated via email. This approach was limiting their ability to scale the company. Human error, lack of efficiency, and organisation were some of the biggest pain points. Off-the-shelf software didn't have the capability to fit seamlessly into our client's processes, so bespoke software was the best way to go.

We designed and developed this centralised system that encapsulated the main report-writing processes. The goal was to add as much automation to our client's workflow as possible — increasing productivity whilst improving the customer experience. The core feature is the interactive report builder, which pulls in information entered into the system and generates branded digital reports. Customers are given access to their report via the web portal, and have the option to download a PDF copy. They also have the ability to report remedial actions that they have taken. This in turn allows customers to keep their own audit trail, and manage risks appropriately.

The new bespoke solution has put the company on a growth path — taking the company to the next level. All information is now centralised, helping to prevent important information and actions being lost in email threads. Initial feedback has shown that reports can be produced in a shorter amount of time, giving the client opportunities to increase profit margins. The improved communication is closing the feedback loop with customers, providing a better experience and potentially increased repeat business. The new software provides a positive unfair advantage over their competitors, who may not be able to match the new service offering. Finally, as client reports are now fully accessible via the web portal, reports are kept up-to-date in real time — a major advantage over printed reports, and a significant green advantage for the project.

Quick project overview

  • Centralised digital workflow via a mobile-friendly web portal
    • Increase efficiency and reduce human error
  • PDF report generation
    • Consistently formatted branded PDFs
  • Customer accounts
    • Tighten the feedback loop and provide a better customer experience
  • Multi factor authentication (MFA) via SMS, email and phone
    • Secure user accounts to protect sensitive information
  • Notifications centre
    • Keep all parties up to date with important updates
  • Version history and audit logs
    • A historical view of changes for auditing purposes

Audit overview dashboard

A security audit can contain a great deal of information. Having a quick at-a-glance summary of the current state of the audit is crucial for everyone involved, allowing for decisions to be made and actions to be taken more quickly, closing the feedback loop. Allowing a customer to remedy a security vulnerability as soon as possible is of particular importance, reducing the risk of damages.

The dashboard features charts that break down the number of unresolved security vulnerabilities discovered by their severity, both as a total and a breakdown over time - which can be used to aid performance metrics. Also shown are short lists of vulnerabilities by their current status (open/resolved) with short summaries for context. This quickly shows the customer what actions they need to take.

Interactive report builder

The core business processes revolve around producing a report as an output, detailing the findings of an audit. Previously, reports were created directly in a word processor and collaborated on internally before sending to the customer. Our interactive report builder allows findings to be reported more intuitively as part of the audit workflow, without having to worry about formatting and sharing a document.

The step-by-step report wizard allows a report to be built and collaborated on easily. Consultants can fill out the written sections in this builder, such as the executive summary. Testers can focus on reporting vulnerabilities to the system, outside of the report builder, allowing them to focus on their work.

Automatic report generation allows different types of reports to be generated, based on the same information, for different purposes, with no additional effort required. For example, a full detailed technical report aimed at developers, a slimmed down executive summary style report for key stakeholders, or an anonymised version for safe printing.

Versioning and audit logging

Due to the nature of the information, it was important to know who has modified what and when. Each user has their own account to access the software, allowing any changes they make to be tracked.

The status of an audited system can constantly evolve, as new discoveries are made and actions taken. It was required to have report versions to capture a snapshot at a certain point in time. This versioning is necessary for accreditation, to show that a system meets standards on a certain date.

Vulnerability database

We identified that testers were spending a lot of time reporting the same common vulnerabilities between different audits, a potential area for time savings. Time spent reporting these vulnerabilities was reduced by creating a vulnerabilities database, containing information on all of the common vulnerabilities, and allowing these vulnerabilities to easily be added to a new audit.

Customer workflow integration

Previously, customers had to wait until their full report had been completed before they would get the opportunity to start performing remedial actions. The longer vulnerabilities exist for, the higher the risk of damage from them being exploited. Of course, more severe vulnerabilities could be disclosed via email in advance, but this was not ideal for efficiency.

The software allows a closer working relationship with customers, who have their own accounts to access the software. Customers can view their audits in real-time, allowing them to take remedial action as soon as they are able to. For customers with time-critical audits, this provides our client with a cutting edge of their competitors, as the elapsed time can be reduced due to the tighter feedback loop.

Customers can report any remedial actions they undertake and request for that area to be re-tested, all within the software.

Get started

Let’s see how we can make software work for you.

Let’s see how we can make software work for you.

Get started