Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
  • Records
  • Legit.Health Plus Version 1.1.0.0
    • Index
    • Overview and Device Description
    • Information provided by the Manufacturer
    • Design and Manufacturing Information
    • GSPR
    • Benefit-Risk Analysis and Risk Management
    • Product Verification and Validation
      • Artificial Intelligence
      • Cybersecurity
        • R-TF-030-001 Software Bills Of Materials
        • R-TF-030-002 Cyber Security Risk Management Plan
        • R-TF-030-003 Cyber Security Risk Matrix
        • R-TF-030-004 Security Risk Assessment Report
        • R-TF-030-005 Security Risk Testing Report
        • T-030-006 NIS2-Compliant Incident Response Plan
      • Usability and Human Factors Engineering
      • Clinical
    • Design History File
    • Post-Market Surveillance
  • Legit.Health Plus Version 1.1.0.1
  • Licenses and accreditations
  • Applicable Standards and Regulations
  • Grants
  • Public tenders
  • Legit.Health Plus Version 1.1.0.0
  • Product Verification and Validation
  • Cybersecurity
  • R-TF-030-005 Security Risk Testing Report

R-TF-030-005 Security Risk Testing Report

Introduction​

DEKRA conducted a CASA Tier 3 security evaluation of the D.med Software platform https://base-pre.legit.health/ between April 23 and May 27, 2025. The report defines the scope, objectives, and boundaries of the system’s cloud and mobile security assessment.

Methodology​

A black-box penetration test following DEKRA’s proprietary OSE framework was executed, covering 133 evaluation cases. Tools used included Burp Suite, Fuff, Nuclei, Nikto, and OpenSSL.

Synthesis​

All major security domains achieved PASS. TLS 1.3, JWT with RS256, and Docker-based deployments were verified as secure. Minor risks: JWT tokens remain valid after account lockout, and one outdated dependency (DCMTK) was identified.

Description of the report​

The document details testing procedures, proof of concepts, and mitigation recommendations for identified findings. Each issue includes impact assessment and suggested remediation steps.

Static Analysis​

Source code and third-party libraries were reviewed for outdated components, hard-coded secrets, or malicious code. No deprecated or insecure client-side technologies were found.

Dynamic Analysis​

Runtime tests validated secure communication, Docker isolation, and Android app behavior under execution. DICOM data handling, memory, and file system integrity were confirmed secure during operation.

Attacks on models​

Model integrity and resistance to data poisoning or unauthorized tampering were evaluated. Results show strong protection mechanisms and consistent inference integrity.

Penetration test results​

Penetration testing confirmed resilience against common web and API exploits. Findings: outdated DCMTK dependency and recommendation to enhance Android app code obfuscation. All other checks passed CASA Tier 3 standards.

Report​

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Author: Team members involved
  • Reviewer: JD-003, JD-004
  • Approver: JD-001
Previous
R-TF-030-004 Security Risk Assessment Report
Next
T-030-006 NIS2-Compliant Incident Response Plan
  • Introduction
  • Methodology
  • Synthesis
  • Description of the report
  • Static Analysis
  • Dynamic Analysis
  • Attacks on models
  • Penetration test results
  • Report
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI LABS GROUP S.L.)