Gotchaa Lab
Back to Portfolio
Cybersecurity

Government VAPT: Entrepreneur Management Platform

A grey-box security assessment of a government platform holding participant personal data. We found 11 issues, ranked them by CVSS, and retested to a clean closure report.

Highlights

  • 1Grey-box testing across the web app, APIs, database and infrastructure
  • 2Tested against OWASP, the OWASP API Top 10 and PTES
  • 311 findings ranked by CVSS v3.1, each with proof-of-concept evidence and fixes
  • 4Retested after remediation and issued a clean closure report

How it helps your business

  • The critical issues got found and fixed before an attacker could reach them: a SQL injection risk, broken access control exposing participant records, and a database open to the public internet.
  • Each finding came with proof-of-concept evidence and step-by-step fixes, so the developers knew exactly what to change.
  • The retest and clean closure report gave the team written proof the issues were actually resolved, not just acknowledged.
  • Findings mapped to the PDPA principles and the Dasar Keselamatan ICT Kerajaan, so the report fed straight into compliance sign-off.

A full VAPT of a government platform, from critical findings to a verified clean closure report.

This government platform manages entrepreneur programme participants across multiple districts and roles, so it holds a lot of personal data. We ran a full security assessment of it: grey-box testing across the web app, APIs, database and infrastructure, against OWASP, the OWASP API Top 10 and PTES. The work surfaced 11 findings, each ranked by CVSS v3.1 with proof-of-concept evidence and step-by-step fixes. After the client's team remediated, we retested and issued a clean closure report. Every finding was mapped to the PDPA principles and the Dasar Keselamatan ICT Kerajaan, so it slotted straight into the project's compliance sign-off.

Outcome

All 11 findings were closed out and verified on retest, ending in a clean closure report. Because every issue was mapped to the PDPA principles and the Dasar Keselamatan ICT Kerajaan, the assessment fit straight into the project's compliance sign-off.

Related Services

Have a similar project in mind?

Tell us about your idea and we'll help you build it — from concept to launch.

Start a Project