As governments and private agencies across the world take steps to tackle the Covid19 pandemic, apps and web apps are naturally one of our biggest tools. Those applications, which extend from government developed contact tracing and access management to private testing and tracing apps are used by millions of people worldwide. And, all of them are vulnerable to hacks and attacks, much like any other app. In July 2021, one of the largest private companies, TestCoronaNu.nl was involved in a data leak, with over 60,000 people losing private data. The leak additionally resulted in an untold number of scammers “faking” a negative Coronatest for entry into clubs and venues using the Dutch CoronaCheck app. 

Organizations offering coronatests are required to pass a compliance check, involving an audit and a pentest of infrastructure and systems. Cyver has experience testing these applications in collaboration with a team of auditors, to help Covid App developers move their apps through strict compliance requirements levied by the VWS (Ministry of Health, Welfare, and Sport), in compliance with the AP (Dutch Data Protection Authority) AVG (General Data Protection Regulation). 

Strict Compliance Checks and Requirements 

Delivering coronavirus test services, in compliance with the VVS, allows apps to integrate into CoronaCheck and other official services via the API. Eventually, this could expand to private and international “Corona Passport” services. For now, passing compliance is “Dutch Only”, but still big business for dozens of apps across the country. 

In the Netherlands, access to the API is now restricted based on the apps ability to pass basic system controls. These include a pentest, with data aligned with all available regulations and legislation for information in healthcare. These include the NEN 7510, 7512, and 7513. In addition to these audits, the coronatest provider must demonstrate compliance with a DPIA (Data protection impact assessment) and a pentest report. Following the “Scandal” of CoronatestNu’s pentester failing to find the leaks resulting in their breach – the pentest is verified by an additional pentest from the VWS. 

The Pentest Process

When you contact Cyver for a Corona app test, we can help to streamline the process because we know how it works and what your auditors need. Here, we submit a pentest documenting a thorough assessment of your integration, API, and affected properties. The VWS is currently using a checklist, primarily designed around the NEN7510, 7512, and 7513. We ensure that we follow this test during the assessment and when writing the report. 

Cyver checks these, meeting all of the requirements put forward by the VWS – and then delivers those findings as tickets to you in our cloud portal. Stakeholders receive these notifications in real time, allowing you to take steps to resolve and remediate before moving on to the final report. Once you mark the findings as remediated, we’ll retest for free (within the first 30 days). Then, when you generate a report, it shows the current, remediated status of the finding. 

The Report

Cyver has experience pentesting for Corona apps, which means we build your report around the specific needs of the pentest. We’ll deliver vulnerability findings mapped to what your auditors want and need to see, so you move quickly through the audit. 

When the VWS receives our pentest report, they’ll run their own follow-up check to ensure our test is accurate. And, with experience in passing these assessments, Cyver is confident we can help your app to pass the full audit – so you keep API access. 

If you need a pentest, Cyver is here to help. We deliver custom pentests built around the needs of compliance norms like the NEN 7510, DIGID, and even HiPAA. Click through to our “services” section to see how we use findings as tickets and pentest-as-a-service to help you pass audits or schedule a call to discuss your needs – so we can help you stay compliant.