UK School Data Management Platform Education Technology

OWASP Application Pen Test for an EdTech Platform | Case Study | Logicata

A UK school data platform commissioned an independent OWASP application penetration test from Logicata, surfacing severity-ranked vulnerabilities pre-release.

OWASP Methodology
Severity-ranked findings Output

Executive Summary

A UK EdTech provider operating a school data management platform used by primary and secondary schools nationwide needed independent assurance that their web application could withstand attack. Logicata delivered an OWASP-methodology application penetration test before a major release, surfacing vulnerabilities, prioritising remediation by severity, and producing the kind of report schools and Multi-Academy Trusts now expect as part of procurement due diligence.

Customer Overview

Sector: Education Technology (EdTech)

Location: United Kingdom

The customer provides a cloud-based school data management platform used by primary and secondary schools across the UK. The application handles sensitive pupil data: academic records, attendance, and personal information. Application security is non-negotiable, both for UK GDPR compliance and to satisfy increasingly security-conscious school customers.

The Challenge

The platform processes a particularly sensitive data category, and the bar kept rising:

  • Children’s PII is among the most regulated categories of personal data. A breach is not a routine incident.
  • Schools and MATs were increasingly asking for evidence of independent security testing during procurement. Without it, the customer was losing tenders.
  • The application had never been formally penetration tested against the production platform.
  • Development velocity outpaced internal security review. New features were shipping faster than the team could vet them.

What the customer needed was not just a test, but a defensible record of a structured one, plus a roadmap for the things to fix first.

The Solution

Logicata delivered an application-layer penetration test against the customer’s production web application, following the OWASP Testing Guide methodology.

Scope and approach

The test covered the full application attack surface, not just the obvious entry points:

  • Authentication and session management
  • Input validation and injection (SQL injection, XSS, CSRF)
  • Access control and privilege escalation
  • Business logic vulnerabilities
  • API security on backend endpoints
  • Configuration and deployment security

How we delivered it

  • Pre-engagement scoping defined the target URLs, test accounts, and rules of engagement before any traffic touched the application.
  • Active testing ran in an agreed window to minimise disruption to school customers using the live platform.
  • Critical findings were reported in real time, so the customer could start remediating the most severe issues immediately rather than waiting for the final report.
  • The final report categorised every finding by CVSS severity, with exploitation evidence (proof of concept) where applicable.

What the customer received

  • A detailed penetration test report with all identified vulnerabilities
  • Risk-rated findings with reproducible PoCs
  • Prioritised remediation recommendations for each issue
  • An executive summary suitable for sharing with school customers as evidence of security due diligence

Results

  • Independent third-party validation of application security across the OWASP attack surface
  • Compliance evidence suitable for school procurement security questionnaires
  • A prioritised remediation roadmap so security investment goes where the risk is, not where it’s loudest
  • Customer trust strengthened through proactive testing rather than reactive incident response
  • A repeatable testing pattern the customer can rerun before future major releases

AWS Services Used

  • Amazon EC2 (application hosting)
  • Amazon RDS (database tier)
  • Elastic Load Balancing
  • AWS WAF
  • Amazon CloudWatch

About Logicata

Logicata is an AWS Advanced Partner holding the AWS Cloud Operations Management Competency, validated through an independent third-party audit. Logicata helps organisations build and operate secure, well-governed cloud platforms on AWS, enabling customers to reduce operational risk, meet assurance expectations, and scale with confidence.

See how we can help your business

Every engagement starts with understanding where you are today. Book a free AWS consultation.

Book a free AWS consultation
Up to 80% Infrastructure costs cut
300% Traffic spike handled
4.9/5 Client CSAT
24/7 UK & US support
AWS Advanced Partner. View our credentials BSI ISO 27001 Certified PCI DSS Compliant BCS Services Company of the Year Finalist 2023 UK Business Tech Awards Finalist 2023

Trusted by

Virgin Experience DaysStream (formerly Wagestream)CharangaChemist 4 UAtriumMohidThe eArIPOSGVectorTracxTMSWild DogLinxSideLightPupil TrackingVitaccessLucky Day CompetitionsFlorida RealtorsFHCNEMSQBenchVirgin Experience DaysStream (formerly Wagestream)CharangaChemist 4 UAtriumMohidThe eArIPOSGVectorTracxTMSWild DogLinxSideLightPupil TrackingVitaccessLucky Day CompetitionsFlorida RealtorsFHCNEMSQBench