In this case study, our GIAC-certified cybersecurity consultants carried out a web application penetration test for a software development firm. The penetration test specifically targeted their logistics management product, currently serving an extensive customer base.
The managing director approached us seeking a thorough security evaluation after being dissatisfied with the details from previous third-party reports, which had only addressed surface-level vulnerabilities. The client aimed for a more manual and comprehensive security assessment to understand the full spectrum of risks associated with their service, as well as confidence that the penetration testers had a contextual understanding of their product and its underlying technologies.
In collaborative discussions with the client, we determined that a “closed box” penetration test—without access to the application source code—was the optimal approach, aligning with the client's budget and cybersecurity maturity level. The six-day engagement focused on revealing any significant security issues which may be exploited by both external, anonymous actors or internal customers with access to the service. Efforts mainly focused on identifying vulnerabilities related to privilege escalation, access control and the exposure of Personally Identifiable Information (PII) from backend servers.
Due to its large and continually maintained codebase - with some unique technology components - the client had to ensure a thorough penetration test was performed. The client’s previous penetration test provider had indeed exposed notable security weaknesses, however, dissatisfaction stemmed from a lack of reproducible evidence in the report. This posed challenges for the client's developers in addressing the identified issues, creating a perception of the previous provider as a one-time assessment rather than fostering a strong, ongoing security partnership.
It was decided that penetration testing activities would be carried out in dedicated UAT environments, mirroring the production setup with example tenants, data, and accounts. A thorough application walkthrough equipped our consultants with a deep understanding of the platform and its various use cases before initiating the test. To ensure seamless communication, direct contact between our consultants and the client’s developers was established - ensuring our team's comprehensive understanding of the application at all times, as well as keeping the client informed of testing activities as they unfolded.
Our penetration testers identified numerous vulnerabilities, including high-severity issues. These issues had not been identified in prior engagements with other vendors and had been residing in the application’s codebase for several years. This validated the client’s decision to seek a penetration testing provider employing a more comprehensive approach, highlighting the thoroughness of our team’s work and efforts.
The client acknowledged the exceptional value of the test, with costs in line with their previous assessments. The final report included detailed findings, executive summaries for senior stakeholders, and an overall evaluation of the platform's security status. Shortly after securely delivering the report, a walkthrough call was booked to discuss findings and remediation timelines, providing actionable feedback and clarification on the business implications of each vulnerability. The client expressed immense satisfaction with the delivery and the thorough report walkthrough call.
With the provided insights, our client swiftly addressed the identified high-risk issues in production environments, immediately strengthening their security. As a result of this engagement, our client felt they had a much deeper and comprehensive understanding of the risk relating to their application, and can continue to develop their cybersecurity roadmap with confidence.
