Inside Addressfinder's Annual Penetration Test

Penetration test findings

Nova Security tested our portal and API across multiple user roles, with access to our source code for deeper analysis as is our new process.

Findings severity summary:

The critical finding was a SQL injection vulnerability in the API. It was identified and reported mid-engagement and fixed before the test concluded.

All findings have been triaged or resolved. Where an issue remains open, it's a deliberate decision and poses little risk. One relates to a legacy feature that some customers still rely on. We've chosen to continue supporting it and have documented that decision clearly rather than counting it as a fix.

The 2024 report identified approximately 13 findings, this year: 7.
Each year we act on what we find, improve our processes and return to the next test in better shape.

Read the full 2025/26 Penetration Test report here.

What we committed to and what we delivered

• SOC 2 Type 2 certified - achieved October 2025. Independent verification that our security controls are consistently followed over time.
• GitHub Actions security update - static long-lived API keys replaced with short-lived OpenID Connect tokens. More detail below.
• OAuth2 authentication introduced - a new authentication method allowing for more flexible configuration for customers.

These are high level, with many more updates, improvements and optimisations for infrastructure and processes.

Going further than compliance requires

SOC 2 Type 2 confirms our processes are sound. Penetration testing goes further by actively challenging whether our systems hold up. Vulnerabilities identified through testing feed directly back into our ongoing compliance programme, continuously raising the bar rather than maintaining it.

Detailed breakdown of changes

The SQL injection

A SQL injection vulnerability was found in the API where unsanitised user input was being passed directly into a database query. If exploited, an attacker could potentially access, modify or delete data. Nova Security flagged it immediately during the engagement and it was fixed before the pen testing closed.

The move to OIDC tokens

Our GitHub Actions deployment pipeline previously authenticated with AWS using static API keys. If a static key is ever exposed, it remains valid until manually rotated - an unnecessarily long exposure window.

We've replaced this with OpenID Connect between GitHub Actions and AWS - official GitHub docs for this feature. Each deployment now receives a temporary token that expires after 15 minutes. By the time it could be found and misused, it's already invalid.

What's next for our security programme

Security isn't a destination. We're constantly testing, finding and fixing and we come back and do it again. Bringing in an independent third party for our annual pen test is a formalised part of that process.

Read the full 2025 penetration test summary report in our Trust Centre.