Web App Hardening
Using OWASP ASVS for a Regulated Client Portal
Regulated services portal (confidential)
5 weeks
AppSec engineer, Full-stack engineer, QA
Situation
A customer portal handled sensitive user data and file uploads. New enterprise customers required deeper assurance: repeatable verification, not one-off fixes.
Objectives
- Build a measurable security baseline for the app
- Fix high-risk vulnerabilities and prevent regressions
- Introduce secure development practices that fit the team’s sprint rhythm
What We Did
Used ASVS as the backbone for a structured verification plan—turning "security" into testable requirements.
Improved authentication/session models, verified role + object-level access controls, and secured file uploads (type validation, scanning hooks, storage isolation).
Enhanced logging improvements for comprehensive audit trails.
Challenges & Solutions
Legacy auth patterns
Solution: Introduced a safer session model incrementally and validated compatibility.
Developer confidence
Solution: Delivered fixes as PRs with explanations so the team could repeat the patterns.
Regression risk
Solution: Added CI checks and a short security test checklist tied to ASVS categories.
- Closed all critical findings and reduced recurring issues via CI verification
- Improved auditability with structured logs and clear access control rules
Deliverables
- ASVS-based verification checklist
- Remediation PRs + secure coding patterns
- CI pipeline security gates