Project Overview

Following the completion of the web system development, we conducted a comprehensive security assessment prior to the official launch. The objective of the project was to detect potential security risks in the system early on and ensure a secure service release.

We proposed and executed a diagnostic process utilizing the web application vulnerability scanner “VEX (Vulnerability EXplorer).” By comprehensively checking all screens and functions of the system, we identified potential vulnerabilities and evaluated their severity. Furthermore, our expert engineers thoroughly scrutinized the automated scan results to eliminate false positives, creating an accurate diagnostic report. The report included specific remediation proposals for the detected vulnerabilities, enabling the release of the system in a state that meets safety standards.

Tech Stack and Development Tools

• Programming Languages: Perl, PHP
• Database: MySQL, MariaDB
• Task Management Tool: Excel
• Communication Tool: Redmine

Client Issues

• Identification of Potential Vulnerabilities and Visualization of Risk LevelsFor the developed web system, it was necessary to verify whether any security holes remained that could be targets for external attacks. In particular, if vulnerabilities existed, it was essential to objectively evaluate their severity (e.g., whether they could lead to information leakage or system outages). Since the client lacked an internal dedicated security assessment team, conducting a comprehensive diagnosis to accurately grasp the location and magnitude of risks was an urgent task.
• Acquisition of Concrete Grounds for Decision-Making and RemediationThe client needed detailed information to understand specifically where the problems lay in the system and what kind of attack risks existed, rather than just being pointed out that there was a “danger.” When development vendors or internal operation teams handle remediation, materials to prioritize and deal with issues efficiently are indispensable. Therefore, the challenge was to provide reporting that breaks down the nature of risks technically and serves as a clear basis for deciding on appropriate corrective measures.

Client Requirements

• Comprehensive Verification of the Entire System Using VEXThe requirement was to select “VEX,” a highly reliable vulnerability scanning tool, to check the entire system without omissions. The client demanded a security diagnosis with no blind spots by covering not only critical functions but also every screen transition and input form within the system. This aimed to minimize the risk of unexpected security incidents occurring after release.
• Scrutiny of Scan Results and Elimination of False PositivesAutomated tool scans often generate “False Positives,” detecting behavior that cannot actually be attacked as a vulnerability. The client strongly requested the extraction of only “True Positives” that really needed addressing from the vast amount of scan results. To reduce wasteful remediation efforts and focus resources on truly dangerous points, high-precision diagnostic results through visual confirmation and analysis by engineers were required.
• Provision of a Final Report Including Concrete CountermeasuresIn addition to reporting diagnostic results, proposing concrete countermeasures on how to fix or mitigate detected vulnerabilities was a mandatory requirement. The client expected a summary report containing practical advice, such as reproduction procedures and examples of fix codes, so that developers could immediately start remediation work upon viewing the report, directly contributing to improving system safety.

Our Proposal and Approach

• Design and Construction of a Comprehensive Scenario Map Using VEX
  To prevent omissions in the diagnosis, we created a detailed “Scenario Map” on the VEX tool before executing the scan. This process visualizes the flow of screen transitions and functions within the web system for the tool to learn. By mapping every operation route a user could take, from login to complex business processes, we adopted an approach that ensures nearly 100% test coverage for all screens and functions, physically guaranteeing the comprehensiveness of the diagnosis target.
• Analysis and Screening of Scan Results by Expert EngineersAfter executing the automated scan with VEX based on the created scenarios, engineers with security knowledge verified each detection log from the massive output. Instead of blindly accepting the tool’s results, we confirmed whether the attack code would actually work or if it was intended system behavior, thoroughly eliminating False Positives. By extracting only the vulnerabilities that truly needed addressing (True Positives), we derived highly reliable diagnostic results.
• Creation of a Report with Severity Classification and Remediation ProposalsWe aggregated the scrutinized vulnerability information and classified it by severity using standards such as CVSS (Common Vulnerability Scoring System). We clarified priorities such as “Critical,” “High,” and “Warning,” presenting the order in which they should be addressed. Furthermore, for each vulnerability, we provided a report detailing specific and actionable countermeasures, such as code-level fix methods or workarounds via configuration changes, to support a smooth vulnerability remediation process.