Kundenportal Security Assessments
🤖 Generated with Claude Code
Co-Authored-By: Claude (noreply@anthropic.com)
Classification: Internal use only
This document provides an overview of security assessments conducted for the Kundenportal. Full reports are stored separately and available to authorized personnel.
Assessment Overview
| Assessment | Vendor | Date | Scope | Status |
|---|---|---|---|---|
| Threat Modeling | SEC Consult | April 2025 | Customer Portal + CCAOnline | Complete |
| Penetration Test (Retest) | itEXPERsT | December 2024 | aktuell.myversum.at, ccaonline.rvd.at | Complete |
Note: For the Atos Architecture Review (2024), see External Reviews.
Threat Modeling (SEC Consult)
Scope: Together CCA Customer Portal and CCAOnline integration
Methodology: Threat modeling analysis of system architecture, authentication flows, and data handling.
Summary:
- 8 threats identified total
- 3 Medium severity findings related to authentication and access controls
- 5 Low/Note severity observations
- Focused on: impersonation restrictions, password policies, API exposure
Key Mitigations Verified:
| Finding | Status | Notes |
|---|---|---|
| 3.2.4 PBKDF2 Iterations | ⏳ Planned | Resolved with .NET 8 migration (uses improved PasswordHasher defaults) |
| 3.2.6 Anonymous Health API | ⚖️ Accepted | Health API used by multiple applications for portal state. Fix requires removing public clients + hosting rework. Effort disproportionate to minor threat. Re-evaluate during architecture rework. |
| 3.2.8 Impersonation Restrictions | ✅ Verified | Portal-Logins können nur impersonated werden, wenn der CCAOnline Benutzer Lese-Rechte auf den Login besitzt |
Report: AT725638-01_Report_Together_CCA_ThreatModeling_Customer_Portal_and_CCAOnline_v1.0.pdf
Penetration Test Retest (itEXPERsT)
Scope: Production environments (aktuell.myversum.at, ccaonline.rvd.at)
Methodology: Follow-up penetration test verifying remediation of previously identified vulnerabilities.
Findings Status:
| Status | Count | Categories |
|---|---|---|
| Closed | 4 | CORS configuration, TLS cookie handling, Cipher suites, File upload validation |
| Open | 5 | External service interaction, XML processing, HSTS headers, Session management, Password policy |
Report: REPORT-Pentest-Aktuell-itEXPERsT-1.5_Dezember.pdf
Report Access
Full reports contain confidential vulnerability details and are stored separately from version control.
Location: Contact security team or project lead for access.
Authorized access: Security team, architects, development leads.
Remediation Tracking
Open findings are tracked in the project backlog. For current remediation status, see:
- Azure DevOps work items tagged with
security - Regular security review meetings