SoftWeb
Case Study

Eliminating Security Vulnerabilities and Establishing Quality Gates

How we transformed a codebase from zero coverage to 90% test coverage while eliminating SQL injection vulnerabilities

Industry:Wellness & Marketplace Solutions

Services:Legacy Modernisation,Architecture Advisory

ES

Key results at a glance

90%
Code Coverage
achieved
0
SQL Injection
vulnerabilities remaining
100%
Quality Gate
PRs validated

The challenge

The Starting Point

As Spa Space's platform grew from prototype to production, the codebase had accumulated technical debt common in fast-moving startups: inconsistent code quality, minimal test coverage, and security practices that needed strengthening.

This is a normal phase of startup development - speed-to-market often takes priority over code hygiene. But as the platform scaled and handled real customer data and payments, the team recognised the need for systematic quality improvement.

The Risks

Without quality controls in place, the team faced:

  • Security vulnerabilities including SQL injection risks in some legacy code paths
  • Minimal test coverage making refactoring risky
  • Inconsistent code patterns across different services
  • Manual code review as the only quality check
  • Deployment anxiety from lack of automated validation

The Business Context

A marketplace handling customer bookings and payments cannot afford security incidents or data breaches. Beyond the direct business impact, trust is foundational to marketplace success - providers and venues need confidence that their business data is secure.

The results

Key results

  • Achieved 90% code coverage from minimal baseline
  • Eliminated SQL injection vulnerabilities across all services
  • Implemented SonarCloud CI/CD integration with quality gates
  • Established security scanning on every pull request
  • Created sustainable quality practices maintained through new development

Security Improvements

  • SQL injection vulnerabilities eliminated - all database access through parameterised queries
  • Credential exposure fixed - no secrets in codebase
  • Dependency vulnerabilities addressed - automated alerts for future issues

Code Quality Metrics

  • 90% code coverage achieved - up from minimal baseline
  • Quality gates enforced - no exceptions for production deployments
  • Code smell reduction - technical debt systematically addressed

Development Process

  • Automated validation - developers received immediate feedback on PRs
  • Confidence in refactoring - high coverage enabled safe changes
  • Reduced review burden - automated checks caught common issues
  • Deployment reliability - quality gates prevented regression

Cultural Shift

  • Quality as standard - not an afterthought
  • Test-first mindset - coverage maintained through new development
  • Security awareness - team trained on common vulnerability patterns

The solution

Our Approach

We implemented a comprehensive code quality and security programme, integrating automated tooling into the development workflow so that quality became continuous rather than a periodic audit.

SonarCloud Integration

We introduced SonarCloud as the central platform for code quality analysis:

  • Static analysis on every pull request
  • Security scanning to identify vulnerabilities
  • Code smell detection for maintainability issues
  • Test coverage tracking to measure improvement
  • Quality gate enforcement to prevent regression

CI/CD Pipeline Enhancement

Quality checks were embedded into the deployment pipeline:

Code Push -> Build -> Tests -> SonarCloud Analysis -> Quality Gate -> Deploy
                                      |
                                      v
                              Fail if: Coverage < 80%
                                       Critical vulnerabilities
                                       Major code smells

This meant no code could reach production without passing automated quality checks.

Security Remediation

The initial SonarCloud scan identified several security concerns, prioritised for remediation:

  1. SQL injection vulnerabilities - converted to parameterised queries
  2. Hardcoded credentials - moved to environment variables and secret management
  3. Insecure dependencies - upgraded to patched versions
  4. Input validation gaps - added validation on API endpoints

Test Coverage Programme

We established a systematic approach to increasing coverage:

  • Coverage targets - 80% minimum, 90% goal
  • New code requirements - all new code must have tests
  • Legacy code prioritisation - critical paths tested first
  • Test quality - not just coverage numbers, but meaningful assertions

Quality Gate Definition

The quality gate prevented merging code that:

  • Had critical or blocker security vulnerabilities
  • Had major code smells (maintainability issues)
  • Dropped coverage below the target threshold
  • Duplicated more than 3% of existing code
Technical deep dive

SonarCloud Configuration

The SonarCloud analysis was configured to focus on relevant issues:

# sonar-project.properties
sonar.qualitygate.wait=true
sonar.coverage.exclusions=**/*Test*,**/migrations/**
sonar.cpd.exclusions=**/generated/**

Quality profiles were customised to balance strictness with developer productivity - overly pedantic rules that generate noise reduce trust in the tooling.

SQL Injection Remediation

The legacy code included raw SQL construction:

// Before (vulnerable)
var query = $"SELECT * FROM users WHERE email = '{email}'";

// After (safe)
var query = "SELECT * FROM users WHERE email = @email";
cmd.Parameters.AddWithValue("@email", email);

Every database access point was audited and converted to parameterised queries, with SonarCloud rules configured to flag any future raw SQL construction.

Test Strategy

Coverage alone does not indicate test quality. We emphasised:

  • Behaviour testing - tests verify business requirements, not implementation details
  • Edge cases - especially around payment and booking logic
  • Integration tests - for service boundaries and external integrations
  • Fast feedback - unit tests run on every commit, integration tests on PR

Continuous Improvement

The quality programme was designed to be sustainable:

  • Ratchet approach - coverage targets only increase, never decrease
  • Boy Scout rule - leave code cleaner than you found it
  • Technical debt sprints - periodic focused cleanup efforts
  • Metrics dashboards - visibility into trends, not just current state

Dependency Management

Automated dependency scanning was configured to:

  • Alert on new vulnerabilities in dependencies
  • Block deployment if critical vulnerabilities present
  • Track dependency age and update recommendations
  • Generate automated PRs for security patches (via Dependabot)

Ready to achieve similar results?

Let's discuss how we can help your organisation achieve these results.

Book a strategy call

Related services

Legacy Modernisation

De-risk your modernisation with expert planning, architectural leadership, and ongoing governance. I assess your ecosystem, design the migration strategy and provide oversight while your team executes

Learn more →

Architecture Advisory

De-risk critical architecture decisions with on-demand senior advice. Get peer-level technical depth for complex systems, AI adoption strategies, and architectural reviews, without hiring a full-time architect.

Learn more →

More case studies

FA
professional-services

From Auth0 Task to Full Backend Rebuild in 8 Weeks

A US startup hired us for Auth0 integration. What we found was a backend that barely existed - including a memory leak causing stack overflows. Eight weeks later: production-ready architecture.

Read case study →
IT
healthcare-nonprofit

Independent Technical Due Diligence That Saved 60% of Proposed Budget

A global humanitarian organisation needed independent validation of a vendor's modernisation proposal. Our analysis revealed 60% of costs were addressing the vendor's own technical debt.

Read case study →
SP
travel-logistics

SEO Pre-Launch Strategy That Outranked Competitors Before Going Live

A UK holiday marketplace needed search presence before booking features were ready. Our pre-launch SEO strategy achieved rankings above competitors' own websites within months.

Read case study →

Facing similar challenges?

Let's discuss how we can help transform your situation

Book a strategy call