en flag +1 214 306 68 37
Gray Box Pentesting for a Risk Management Leader

Gray Box Pentesting for a Risk Management Leader

Industry
Consulting, Information Technology
Technologies
Python

About Our Customer

The Customer is a global risk management provider with decades-long experience.

Annual Security Testing to Uphold Cyber Protection

Having first-hand experience in security services, including cyber risk management, the Customer is dedicated to protecting its platform against emerging cyber threats. The company regularly engages ScienceSoft to conduct security testing of its IT infrastructure and software components. As part of a long-term cybersecurity partnership, the Customer requested gray box pentesting to verify the security of the web, iOS, and Android apps for its travel risk management solution.

Gray Box Pentesting of Web and Mobile Apps Complete in Just 2 Weeks

The Customer provided ScienceSoft with user and administrator credentials for the target applications. Our pentesters started with vulnerability assessment: they scanned the apps using automated tools and manually validated the scanning results. Next, ScienceSoft's pentesting team imitated the actions of a real-life attacker having partial access to the targets. Our experts attempted to exploit the found vulnerabilities to evaluate their potential impact on the applications. The penetration testing activities were based on the best practices outlined by PTES, OWASP Web Security Testing Guide, OWASP Mobile Security Testing Guide, and NIST 800-115.

Finally, ScienceSoft's team analyzed the testing findings, classified the discovered issues according to OWASP TOP 10 and OWASP Mobile TOP 10 standards, and reported the results. The pentesting confirmed the high security level of the web and mobile applications and revealed only a few non-critical weaknesses.

Our experts suggested appropriate measures to further enhance the apps' security, including:

  • Using HTTP headers, such as X-Frame-Options and Content Security Policy, to enhance web application protection against clickjacking, cross-site scripting, and other common attacks.
  • Updating obsolete software to its latest version.
  • Updating the password policy to require stronger passwords.
  • Implementing brute force protection (e.g., adding CAPTCHA, limiting failed login attempts).

After the Customer applied the fixes, ScienceSoft retested the apps and validated the successful remediation.

Our team completed the project with the pentesting and the retest in just two weeks.

High Security Level Confirmed by a Thorough Pentest

The gray box penetration testing confirmed the efficiency of the Customer's security controls and provided insights into further security enhancements.

Thanks to the previous knowledge of the Customer's IT ecosystem and the optimal blend of manual and automated testing, ScienceSoft's team performed a comprehensive pentest in just two weeks. The detailed recommendations allowed the Customer to quickly remediate the discovered non-critical vulnerabilities and gain full confidence in its web, iOS, and Android applications' cyber resilience.

Technologies and Tools

Metasploit, Nessus, Burp Suite, Acunetix, Nmap, SSLScan, WhatWeb, Nikto, DIRB, MobSF, Wireshark, Radare2, Ghidra, Apktool, Jadx, Hopper, Frida, Objection.

Custom scripts in Python, C, and Perl.

Have a question to our team or need help with your project?

Our team is ready to provide client references, estimate your project, or answer any other question related to your IT initiative.

Upload file

Drag and drop or to upload your file(s)

?

Max file size 10MB, up to 5 files and 20MB total

Supported formats:

doc, docx, xls, xlsx, ppt, pptx, pps, ppsx, odp, jpeg, jpg, png, psd, webp, svg, mp3, mp4, webm, odt, ods, pdf, rtf, txt, csv, log

More Case Studies