How We Approach Security at QMENTA: Our 2025 Annual Audit Results

Transparency about security isn't always comfortable. Publishing findings opens you up to scrutiny. But we believe that accountability builds trust more reliably than silence does. So here's our 2025 annual security assessment final result: zero open critical, high, or medium vulnerabilities. Our cleanest result to date — and this year, we tested more surface area than ever before.

What Is a Web Application Security Assessment (WASA)?

A Web Application Security Assessment (WASA) is a structured, authorized evaluation designed to find weaknesses in a system before someone with bad intentions does.

It goes beyond a traditional penetration test: while a pentest focuses on probing servers and services, a WASA focuses on in-depth manual testing of the application itself — for example, checking whether a user could access another user's data they shouldn't be able to see, or whether an attacker could exploit injection vulnerabilities by embedding malicious code into inputs like shared project names.

We commission this assessment annually from the same security firm we've worked with since 2020. The primary objective is to determine the security level of the web application from both an external and internal perspective, covering common known web attacks including the OWASP Top Ten, as well as application-specific attack vectors.

Using a white box approach — meaning the testers are given documentation, architecture details, and internal context rather than starting blind — they can probe more deeply than a purely external attacker would.

This year's scope was the broadest we've run. In addition to our core Platform (which has been assessed every year), we included our new Central Review (CR) application (not released at the time) and our new Identity and Access Management (IAM) system centralizing the authentication between the apps (SSO).

More components in scope means more potential exposure to assess — and more confidence in the results when they come back clean.

What They Found

The 2025 assessment final result is 3 low-severity findings. Low-severity findings are potential vulnerabilities with low damage potential and violations of security best practices. Here's how the full breakdown looked:

One thing worth underscoring: all testing was conducted in a staging environment. No production systems were accessed during the assessment, and no customer data was ever at risk.

How We Responded

We follow a structured remediation process. Critical findings — had there been any — would have been addressed immediately, before anything else. High and medium issues follow on the same priority track.

The three low-severity findings from this year's test went through our formal risk assessment process. Each one was evaluated for likelihood, potential impact, and remediation effort. Two were resolved through code or configuration changes; one was accepted with documented compensating controls in place. All findings, regardless of severity, are tracked to closure and verified through re-testing by the same independent firm.

This process isn't ad hoc. It's the same structured approach we've applied every year since we began publishing these results.

QMENTA Security Audit Results: 2020–2025 Year-by-Year Comparison

We've been running annual assessments since 2020. Here's the full picture:

QMENTA Annual Security Assessment Results (2020–2025)

What makes the 2025 result particularly meaningful is that we expanded the scope significantly. Testing three systems instead of one and still coming out with only three low-severity issues isn't luck — it reflects deliberate security work done throughout the year, not just in response to audit findings.

Shift Left: How QMENTA Embeds Security Earlier in Development

Passing an annual audit is a milestone, not a finish line. The threat landscape keeps shifting, and so does our approach to staying ahead of it.

This isn't a reaction to anything that went wrong. It's where the field is heading, and we want to be building accordingly.

One area we're actively investing in is Software Composition Analysis (SCA). While we generate a comprehensive Software Bill of Materials (SBOMs) to inventory every direct and transitive dependency in our systems, SCA takes that visibility a crucial step further. Supply chain attacks have become one of the most significant risk vectors in the industry. In the OWASP Top 10:2025 community survey, 50% of respondents ranked software supply chain failures as their number one risk.

By leveraging SCA, we don't just log what's running inside QMENTA; we continuously analyze and monitor those components to automatically detect and remediate vulnerabilities in third-party libraries.

Security as an Ongoing Commitment

The annual WASA is one layer of a broader security posture. It sits alongside continuous monitoring, internal code reviews, dependency scanning, access controls, encryption standards, and the processes we follow every day. No single audit, however thorough, captures everything. What they do is force accountability — to look carefully, fix what's found, and document the work.

We'll keep publishing these results every year. If you're a QMENTA customer or partner and you have questions about any of this — about our security practices, our architecture, or what any of these findings actually mean in practice — please reach out. These conversations matter to us, and we'd rather have them openly than not at all.

Frequently Asked Questions

What is a Web Application Security Assessment (WASA)?

A Web Application Security Assessment is a structured, authorised evaluation designed to identify vulnerabilities in a web application before they can be exploited. Unlike a traditional penetration test, which focuses on network and server-level probing, a WASA involves in-depth manual testing of the application itself — examining whether users could access data they should not, or whether attackers could exploit injection vulnerabilities through application inputs. WASA testing typically covers common known web attacks including those in the OWASP Top Ten.

How often does QMENTA conduct security assessments?

QMENTA conducts an independent Web Application Security Assessment annually, working with the same third-party security firm since 2020. This consistency allows year-on-year comparison of results using a comparable methodology. Testing is conducted in a staging environment to ensure no production systems or customer data are accessed during the assessment process.

What did QMENTA's 2025 security audit find?

The 2025 QMENTA security assessment returned zero critical, zero high, and zero medium severity vulnerabilities across the platform — the company's best result since annual testing began in 2020. Three low-severity findings were identified, each evaluated through a formal risk assessment process. Two were resolved through code or configuration changes; one was accepted with documented compensating controls in place.

What is the OWASP Top Ten and why does it matter for clinical data platforms?

The OWASP Top Ten is an authoritative list of the most critical web application security risks, published and maintained by the Open Web Application Security Foundation. It serves as a baseline reference for security professionals evaluating web systems. For clinical data platforms handling sensitive patient imaging data, compliance with OWASP Top Ten principles is a foundational minimum standard. In the OWASP Top 10:2025 community survey, 50% of respondents ranked software supply chain failures as their number one risk.

What is "shift left" security and how does QMENTA apply it?

"Shift left" is a software development practice that integrates security testing earlier in the development cycle — during design and development rather than after deployment. Catching security issues during development is significantly less costly and disruptive than identifying them in production systems. QMENTA applies shift left principles by integrating automated scanning into its CI/CD pipeline, requiring security review as part of the definition of "done" for new features, and treating security as a first-class requirement from the outset of feature development.

What is Software Composition Analysis and why does QMENTA invest in it?

Software Composition Analysis (SCA) is a practice that continuously monitors and analyses the third-party and open-source components used within a software system. While a Software Bill of Materials (SBOM) inventories all direct and transitive dependencies, SCA adds continuous vulnerability detection — automatically flagging known vulnerabilities in third-party libraries as they are disclosed. QMENTA is actively investing in SCA to address the growing risk of software supply chain attacks, which represent one of the most significant threat vectors in enterprise software.

About the authors: Hernan Foffani, Principal Engineer, QMENTA & Léo Gabaix, Application Security Engineer, QMENTA

Hernan Foffani is a Principal Engineer at QMENTA.

Léo Gabaix is an Application Security Engineer at QMENTA.