en flag +1 214 306 68 37
Web Application and Network Pentesting for an Asset Management Company

Web Application and Network Pentesting for an Asset Management Company

Industry
BFSI, Consulting, Investment, Professional Services

About Our Customer

The Customer is an award-winning US-based asset management company. It provides services to real estate lenders and investors in 50+ countries across the globe.

Penetration Testing Was Needed To Check Sensitive Data Safety

In the course of its business activities, the Customer stores and transmits large amounts of its clients' information, including personal identifiers and financial details. The company is, therefore, subject to several data security regulations, including GDPR and US states' privacy laws.

To protect the sensitive data it handles and stay compliant, the Customer implements, evaluates, and upgrades its security policies, processes, and technical controls. A few years ago, it included regular penetration testing on the list of its risk mitigation measures. The Customer wanted to find a reliable security testing vendor that would ideally become its long-term partner. It performed a thorough review of potential candidates, with the main criteria being vast experience in pentesting, SOC 2 or ISO 27001 certificate, sound information security policy, and transparent reporting.

Regular Pentesting Ensured Timely Vulnerability Remediation

An ISO 27001-certified vendor with a solid portfolio of penetration testing projects, ScienceSoft was chosen by the Customer for an independent security checkup of its web app and network in 2020. Satisfied with ScienceSoft's attention to detail and final reports that helped the in-house IT team smoothly fix the detected security issues, the Customer was willing to continue cooperation. In 2021, ScienceSoft performed a series of black box and gray box pentests to see if modifications in the web app and network had caused any new vulnerabilities. With this engagement being a positive experience on both sides, the Customer had no more hesitations about which vendor to contact for the subsequent security testing projects. In 2022, when the time for the regular security checkup came, the Customer requested ScienceSoft's team to perform black box and gray box penetration testing.

To see if a real-world attacker could infiltrate the Customer's IT environment, ScienceSoft's team started with black box testing of the web application and ten public-facing IPs. After that, they were provided with user credentials and conducted gray box penetration testing to get a deeper insight into the web app's security. Combining automated tools with manual techniques, ScienceSoft's Certified Ethical Hackers checked every possible attack scenario.

As a result, they were pleased to prove that the Customer's scrupulous approach to its cyber defense and regular security assessments paid off: the testing targets didn't contain any critical security flaws. The testers only found several vulnerabilities of low and informational severity according to the OWASP TOP 10 and NIST CVSS classification, such as deprecated TLS 1.1 in use, missing security headers, lacking brute-force protection. The detected security weaknesses were difficult to exploit. In the worst case, the intruders could obtain just non-critical information that wouldn't compromise the web app or network.

After completing the testing activities, the team provided detailed reports describing the testing process and findings and the required corrective measures. To further improve the web application's security, ScienceSoft's experts recommended performing security code reviews for each subsequent app version.

Willing to share their cybersecurity knowledge to help achieve the best results, ScienceSoft's pentesters welcomed additional questions from the Customer's IT team on the detected vulnerabilities and the ways of fixing them.

After the Customer eliminated the detected security issues, ScienceSoft performed retesting, which proved the high security level of the web application and public-facing IPs.

High Security Level Confirmed By Attestation Letters

After pentesting and retesting by ScienceSoft, the Customer was 100% sure that its web application and public-facing network components didn't contain security vulnerabilities. The Customer also got executive reports and attestation letters to prove its high security level to auditors and clients.

Technologies and Tools

Burp Suite, Acunetix, Nmap, Dirb, Metasploit, Nessus, nikto.

Have a question to our team or need help with your project?

Our team is ready to provide client references, estimate your project, or answer any other question related to your IT initiative.

Upload file

Drag and drop or to upload your file(s)

?

Max file size 10MB, up to 5 files and 20MB total

Supported formats:

doc, docx, xls, xlsx, ppt, pptx, pps, ppsx, odp, jpeg, jpg, png, psd, webp, svg, mp3, mp4, webm, odt, ods, pdf, rtf, txt, csv, log

More Case Studies